From f27a9494d27d954d1763ea99c0491ddab6fb2aa4 Mon Sep 17 00:00:00 2001 From: karthik-tarento Date: Thu, 18 May 2023 18:43:22 +0530 Subject: [PATCH 01/18] Added validation for secureSettings in content READ API --- .../sunbird/content/actors/ContentActor.scala | 33 ++++++++++++++----- .../app/controllers/BaseController.scala | 2 +- 2 files changed, 26 insertions(+), 9 deletions(-) diff --git a/content-api/content-actors/src/main/scala/org/sunbird/content/actors/ContentActor.scala b/content-api/content-actors/src/main/scala/org/sunbird/content/actors/ContentActor.scala index 16ebcc64d..77885dcb4 100644 --- a/content-api/content-actors/src/main/scala/org/sunbird/content/actors/ContentActor.scala +++ b/content-api/content-actors/src/main/scala/org/sunbird/content/actors/ContentActor.scala @@ -5,7 +5,9 @@ import java.util.concurrent.CompletionException import java.io.File import org.apache.commons.io.FilenameUtils import javax.inject.Inject +import org.apache.commons.lang3.ObjectUtils import org.apache.commons.lang3.StringUtils +import org.apache.commons.collections4.{CollectionUtils, MapUtils} import org.sunbird.`object`.importer.{ImportConfig, ImportManager} import org.sunbird.actor.core.BaseActor import org.sunbird.cache.impl.RedisCache @@ -74,18 +76,33 @@ class ContentActor @Inject() (implicit oec: OntologyEngineContext, ss: StorageSe val metadata: util.Map[String, AnyRef] = NodeUtil.serialize(node, fields, node.getObjectType.toLowerCase.replace("image", ""), request.getContext.get("version").asInstanceOf[String]) metadata.put("identifier", node.getIdentifier.replace(".img", "")) val response: Response = ResponseHandler.OK - if (responseSchemaName.isEmpty) { - response.put("content", metadata) - } - else { - response.put(responseSchemaName, metadata) - } - if(!StringUtils.equalsIgnoreCase(metadata.get("visibility").asInstanceOf[String],"Private")) { - response + if (responseSchemaName.isEmpty) { + response.put("content", metadata) } else { + response.put(responseSchemaName, metadata) + } + if (StringUtils.equalsIgnoreCase(metadata.get("visibility").asInstanceOf[String],"Private")) { throw new ClientException("ERR_ACCESS_DENIED", "content visibility is private, hence access denied") } + var sa = metadata.get("secureSettings") + var securityAttribute : util.Map[String, AnyRef] = metadata.getOrDefault("secureSettings", new util.HashMap[String, AnyRef]).asInstanceOf[util.Map[String, AnyRef]] + if (MapUtils.isNotEmpty(securityAttribute)) { + var orgList : util.ArrayList[String] = securityAttribute.getOrDefault("organisation", new util.ArrayList[String]).asInstanceOf[util.ArrayList[String]] + if (!CollectionUtils.isEmpty(orgList)) { + //Content should be read by unique org users only. + var userChannelId : String = request.getRequest.getOrDefault("x-user-channel-id", "").asInstanceOf[String] + if (orgList.contains(userChannelId)) { + response + } else { + throw new ClientException("ERR_ACCESS_DENIED", "User is not allowed to read this content.") + } + } else { + response + } + } else { + response + } }) } diff --git a/content-api/content-service/app/controllers/BaseController.scala b/content-api/content-service/app/controllers/BaseController.scala index 3b7125e19..5377c9723 100644 --- a/content-api/content-service/app/controllers/BaseController.scala +++ b/content-api/content-service/app/controllers/BaseController.scala @@ -63,7 +63,7 @@ abstract class BaseController(protected val cc: ControllerComponents)(implicit e } def commonHeaders(ignoreHeaders: Option[List[String]] = Option(List()))(implicit request: Request[AnyContent]): java.util.Map[String, Object] = { - val customHeaders = Map("x-channel-id" -> "channel", "X-Consumer-ID" -> "consumerId", "X-App-Id" -> "appId").filterKeys(key => !ignoreHeaders.getOrElse(List()).contains(key)) + val customHeaders = Map("x-authenticated-user-channel-id" -> "x-user-channel-id", "x-channel-id" -> "channel", "X-Consumer-ID" -> "consumerId", "X-App-Id" -> "appId").filterKeys(key => !ignoreHeaders.getOrElse(List()).contains(key)) customHeaders.map(ch => { val value = request.headers.get(ch._1) if (value.isDefined && !value.isEmpty) { From aa43c38dd9f3650dbc2892382a13439248f9a63d Mon Sep 17 00:00:00 2001 From: karthik-tarento Date: Thu, 25 May 2023 14:39:04 +0530 Subject: [PATCH 02/18] Added hierarchy API changes --- .../sunbird/managers/HierarchyManager.scala | 31 +++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala b/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala index 186232d39..bdfc12a6b 100644 --- a/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala +++ b/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala @@ -132,7 +132,9 @@ object HierarchyManager { } val bookmarkId = request.get("bookmarkId").asInstanceOf[String] var metadata: util.Map[String, AnyRef] = NodeUtil.serialize(rootNode, new util.ArrayList[String](), request.getContext.get("schemaName").asInstanceOf[String], request.getContext.get("version").asInstanceOf[String]) - + if (!validateContentSecurity(request, metadata)) { + Future(ResponseHandler.ERROR(ResponseCode.RESOURCE_NOT_FOUND, ResponseCode.RESOURCE_NOT_FOUND.name(), "User can't read content with Id: " + request.get("rootId"))) + } fetchRelationalMetadata(request, rootNode.getIdentifier).map(collRelationalMetadata => { val hierarchy = fetchHierarchy(request, rootNode.getIdentifier) @@ -211,7 +213,9 @@ object HierarchyManager { if (!result.isEmpty) { val bookmarkId = request.get("bookmarkId").asInstanceOf[String] val rootHierarchy = result.get("content").asInstanceOf[util.Map[String, AnyRef]] - if (StringUtils.isEmpty(bookmarkId)) { + if (validateContentSecurity(request, rootHierarchy)) { + ResponseHandler.ERROR(ResponseCode.RESOURCE_NOT_FOUND, ResponseCode.RESOURCE_NOT_FOUND.name(), "User can't read content with Id: " + request.get("rootId")) + } else if (StringUtils.isEmpty(bookmarkId)) { ResponseHandler.OK.put("content", rootHierarchy) } else { val children = rootHierarchy.getOrElse("children", new util.ArrayList[util.Map[String, AnyRef]]()).asInstanceOf[util.List[util.Map[String, AnyRef]]] @@ -713,4 +717,27 @@ object HierarchyManager { if(configObjTypes.nonEmpty && !configObjTypes.contains(childNode.getOrDefault("objectType", "").asInstanceOf[String])) throw new ClientException("ERR_INVALID_CHILDREN", "Invalid Children objectType "+childNode.get("objectType")+" found for : "+childNode.get("identifier") + "| Please provide children having one of the objectType from "+ configObjTypes.asJava) } + + def validateContentSecurity(request: Request, metadata: util.Map[String, AnyRef])(implicit ec: ExecutionContext): Boolean = { + var securityAttribute : util.Map[String, AnyRef] = metadata.getOrDefault("secureSettings", new util.HashMap[String, AnyRef]).asInstanceOf[util.Map[String, AnyRef]] + var isUserAllowedToRead = true + if (MapUtils.isNotEmpty(securityAttribute)) { + var orgList : util.ArrayList[String] = securityAttribute.getOrDefault("organisation", new util.ArrayList[String]).asInstanceOf[util.ArrayList[String]] + if (!CollectionUtils.isEmpty(orgList)) { + //Content should be read by unique org users only. + var userChannelId : String = request.getRequest.getOrDefault("x-user-channel-id", "").asInstanceOf[String] + if (!orgList.contains(userChannelId)) { + System.out.println("Org List doesn't have orgId received from request...") + isUserAllowedToRead = false + } else { + System.out.println("OrgList contains user given orgId") + } + } else { + System.out.println("Org List is empty...") + } + } else { + System.out.println("SecureSettings is not available...") + } + isUserAllowedToRead + } } From 2d85c1aba41bd3ff17af0199caa55e030fcb5d07 Mon Sep 17 00:00:00 2001 From: karthik-tarento Date: Thu, 25 May 2023 23:36:20 +0530 Subject: [PATCH 03/18] Adding prefix _rc for secure contents --- .../sunbird/graph/service/util/BaseQueryGenerationUtil.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ontology-engine/graph-dac-api/src/main/java/org/sunbird/graph/service/util/BaseQueryGenerationUtil.java b/ontology-engine/graph-dac-api/src/main/java/org/sunbird/graph/service/util/BaseQueryGenerationUtil.java index df732461d..09fabece2 100644 --- a/ontology-engine/graph-dac-api/src/main/java/org/sunbird/graph/service/util/BaseQueryGenerationUtil.java +++ b/ontology-engine/graph-dac-api/src/main/java/org/sunbird/graph/service/util/BaseQueryGenerationUtil.java @@ -172,6 +172,9 @@ protected static Map getSystemPropertyQueryMap(Node node, String if (StringUtils.isBlank(node.getIdentifier())) node.setIdentifier(Identifier.getIdentifier(node.getGraphId(), Identifier.getUniqueIdFromTimestamp())); + if (node.getMetadata().containsKey("secureSettings")) { + node.setIdentifier(node.getIdentifier() + "_rc"); + } // Adding 'IL_UNIQUE_ID' Property query.append( SystemProperties.IL_UNIQUE_ID.name() + ": { SP_" + SystemProperties.IL_UNIQUE_ID.name() + " }, "); From 351714d6f64ea215b88a81679f47112bf81bb98f Mon Sep 17 00:00:00 2001 From: karthik-tarento Date: Fri, 26 May 2023 12:18:48 +0530 Subject: [PATCH 04/18] Updated content security validation properly --- .../scala/org/sunbird/managers/HierarchyManager.scala | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala b/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala index bdfc12a6b..dba2a5b70 100644 --- a/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala +++ b/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala @@ -213,7 +213,7 @@ object HierarchyManager { if (!result.isEmpty) { val bookmarkId = request.get("bookmarkId").asInstanceOf[String] val rootHierarchy = result.get("content").asInstanceOf[util.Map[String, AnyRef]] - if (validateContentSecurity(request, rootHierarchy)) { + if (!validateContentSecurity(request, rootHierarchy)) { ResponseHandler.ERROR(ResponseCode.RESOURCE_NOT_FOUND, ResponseCode.RESOURCE_NOT_FOUND.name(), "User can't read content with Id: " + request.get("rootId")) } else if (StringUtils.isEmpty(bookmarkId)) { ResponseHandler.OK.put("content", rootHierarchy) @@ -727,16 +727,9 @@ object HierarchyManager { //Content should be read by unique org users only. var userChannelId : String = request.getRequest.getOrDefault("x-user-channel-id", "").asInstanceOf[String] if (!orgList.contains(userChannelId)) { - System.out.println("Org List doesn't have orgId received from request...") isUserAllowedToRead = false - } else { - System.out.println("OrgList contains user given orgId") } - } else { - System.out.println("Org List is empty...") } - } else { - System.out.println("SecureSettings is not available...") } isUserAllowedToRead } From 3a4ef1db85f7eda867e8032b97e913f420f3a7b9 Mon Sep 17 00:00:00 2001 From: karthik-tarento Date: Mon, 29 May 2023 15:39:33 +0530 Subject: [PATCH 05/18] Added csJwtToken in hierarchy response --- .../sunbird/managers/HierarchyManager.scala | 32 +++++++++++++++---- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala b/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala index dba2a5b70..5cba19d23 100644 --- a/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala +++ b/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala @@ -215,15 +215,21 @@ object HierarchyManager { val rootHierarchy = result.get("content").asInstanceOf[util.Map[String, AnyRef]] if (!validateContentSecurity(request, rootHierarchy)) { ResponseHandler.ERROR(ResponseCode.RESOURCE_NOT_FOUND, ResponseCode.RESOURCE_NOT_FOUND.name(), "User can't read content with Id: " + request.get("rootId")) - } else if (StringUtils.isEmpty(bookmarkId)) { - ResponseHandler.OK.put("content", rootHierarchy) } else { - val children = rootHierarchy.getOrElse("children", new util.ArrayList[util.Map[String, AnyRef]]()).asInstanceOf[util.List[util.Map[String, AnyRef]]] - val bookmarkHierarchy = filterBookmarkHierarchy(children, bookmarkId) - if (MapUtils.isEmpty(bookmarkHierarchy)) { - ResponseHandler.ERROR(ResponseCode.RESOURCE_NOT_FOUND, ResponseCode.RESOURCE_NOT_FOUND.name(), "bookmarkId " + bookmarkId + " does not exist") + if (isSecureContent(rootHierarchy)) { + rootHierarchy.put("csJwtToken", request.get("rootId")) + } + + if (StringUtils.isEmpty(bookmarkId)) { + ResponseHandler.OK.put("content", rootHierarchy) } else { - ResponseHandler.OK.put("content", bookmarkHierarchy) + val children = rootHierarchy.getOrElse("children", new util.ArrayList[util.Map[String, AnyRef]]()).asInstanceOf[util.List[util.Map[String, AnyRef]]] + val bookmarkHierarchy = filterBookmarkHierarchy(children, bookmarkId) + if (MapUtils.isEmpty(bookmarkHierarchy)) { + ResponseHandler.ERROR(ResponseCode.RESOURCE_NOT_FOUND, ResponseCode.RESOURCE_NOT_FOUND.name(), "bookmarkId " + bookmarkId + " does not exist") + } else { + ResponseHandler.OK.put("content", bookmarkHierarchy) + } } } } else @@ -718,6 +724,18 @@ object HierarchyManager { throw new ClientException("ERR_INVALID_CHILDREN", "Invalid Children objectType "+childNode.get("objectType")+" found for : "+childNode.get("identifier") + "| Please provide children having one of the objectType from "+ configObjTypes.asJava) } + def isSecureContent (metadata: util.Map[String, AnyRef])(implicit ec: ExecutionContext): Boolean = { + var securityAttribute : util.Map[String, AnyRef] = metadata.getOrDefault("secureSettings", new util.HashMap[String, AnyRef]).asInstanceOf[util.Map[String, AnyRef]] + var isSecureContent = false + if (MapUtils.isNotEmpty(securityAttribute)) { + var orgList : util.ArrayList[String] = securityAttribute.getOrDefault("organisation", new util.ArrayList[String]).asInstanceOf[util.ArrayList[String]] + if (!CollectionUtils.isEmpty(orgList)) { + isSecureContent = true + } + } + isSecureContent + } + def validateContentSecurity(request: Request, metadata: util.Map[String, AnyRef])(implicit ec: ExecutionContext): Boolean = { var securityAttribute : util.Map[String, AnyRef] = metadata.getOrDefault("secureSettings", new util.HashMap[String, AnyRef]).asInstanceOf[util.Map[String, AnyRef]] var isUserAllowedToRead = true From 3e675bc8da6aef9d30aea845bb77187911638297 Mon Sep 17 00:00:00 2001 From: wilkysingh-tarento <97211740+wilkysingh-tarento@users.noreply.github.com> Date: Mon, 29 May 2023 16:42:06 +0530 Subject: [PATCH 06/18] default search is modified for contentSecurity (#55) --- .../org/sunbird/search/dto/SearchDTO.java | 7 +++++++ .../search/processor/SearchProcessor.java | 19 ++++++++++++++++++- .../search-service/conf/application.conf | 5 ++++- 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/search-api/search-core/src/main/java/org/sunbird/search/dto/SearchDTO.java b/search-api/search-core/src/main/java/org/sunbird/search/dto/SearchDTO.java index 6fa3d15a9..baa0ca3fe 100644 --- a/search-api/search-core/src/main/java/org/sunbird/search/dto/SearchDTO.java +++ b/search-api/search-core/src/main/java/org/sunbird/search/dto/SearchDTO.java @@ -16,6 +16,7 @@ public class SearchDTO { private int limit; private int offset; boolean fuzzySearch = false; + boolean secureSettings = false; private Map additionalProperties = new HashMap(); private Map softConstraints = new HashMap(); private List> aggregations = new ArrayList<>(); @@ -72,6 +73,12 @@ public boolean isFuzzySearch() { public void setFuzzySearch(boolean fuzzySearch) { this.fuzzySearch = fuzzySearch; } + public boolean isSecureSettings() { + return secureSettings; + } + public void setSecureSettings(boolean secureSettings) { + this.secureSettings = secureSettings; + } public Map getAdditionalProperties() { return additionalProperties; } diff --git a/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java b/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java index c95fc4f24..65cf0d503 100644 --- a/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java +++ b/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java @@ -5,6 +5,7 @@ import com.fasterxml.jackson.databind.ObjectMapper; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; +import org.apache.lucene.search.join.ScoreMode; import org.elasticsearch.action.search.SearchResponse; import org.elasticsearch.index.query.*; import org.elasticsearch.index.query.MultiMatchQueryBuilder.Type; @@ -342,6 +343,9 @@ private QueryBuilder prepareSearchQuery(SearchDTO searchDTO) { } private void formQuery(List properties, QueryBuilder queryBuilder, BoolQueryBuilder boolQuery, String operation, Boolean fuzzy) { + boolean enableSecureSettings = Platform.config.hasPath("search.fields.enable.secureSettings") && + Platform.config.getBoolean("search.fields.enable.secureSettings"); + for (Map property : properties) { String opertation = (String) property.get("operation"); @@ -359,6 +363,8 @@ private void formQuery(List properties, QueryBuilder queryBuilder, BoolQuer relevanceSort = true; propertyName = "all_fields"; queryBuilder = getAllFieldsPropertyQuery(values, fuzzy); + if(!enableSecureSettings) + boolQuery.mustNot(getSecureSettingsQuery()); boolQuery.must(queryBuilder); continue; } @@ -447,6 +453,8 @@ private void formQuery(List properties, QueryBuilder queryBuilder, BoolQuer } } if (operation.equalsIgnoreCase(AND)) { + if(!enableSecureSettings) + boolQuery.mustNot(getSecureSettingsQuery()); boolQuery.must(queryBuilder); } else { boolQuery.should(queryBuilder); @@ -515,9 +523,18 @@ private QueryBuilder getAllFieldsPropertyQuery(List values, Boolean fuzz .operator(Operator.AND).type(Type.CROSS_FIELDS).fuzzyTranspositions(false).lenient(true)); } } - return queryBuilder; } + private QueryBuilder getSecureSettingsQuery() { + + QueryBuilder firstNestedQuery =new NestedQueryBuilder("secureSettings", + QueryBuilders.boolQuery() .mustNot(new ExistsQueryBuilder("organisation")), org.apache.lucene.search.join.ScoreMode.None); + QueryBuilder secondNestedQuery= new NestedQueryBuilder("secureSettings", QueryBuilders.boolQuery() + .filter(new RangeQueryBuilder("organisation" + ".length").lte(0)) , org.apache.lucene.search.join.ScoreMode.None); + QueryBuilder query = QueryBuilders.boolQuery() .should(firstNestedQuery).should (secondNestedQuery); + + return query; + } /** * @param softConstraints diff --git a/search-api/search-service/conf/application.conf b/search-api/search-service/conf/application.conf index 0b038102c..b39c0e2b5 100644 --- a/search-api/search-service/conf/application.conf +++ b/search-api/search-service/conf/application.conf @@ -315,4 +315,7 @@ content.tagging.property=["subject","medium"] search.payload.log_enable=true #Folling configuration would enable the fuzzy search when there are no matches found for given query. -search.fields.enable.fuzzy.when.noresult=false \ No newline at end of file +search.fields.enable.fuzzy.when.noresult=false + +#Following configuration would enable the secureSettings search +search.fields.enable.secureSettings=false \ No newline at end of file From f67f5f3127a755f0d5989f2a18ab93bbb08c5c2f Mon Sep 17 00:00:00 2001 From: karthik-tarento Date: Mon, 29 May 2023 18:08:27 +0530 Subject: [PATCH 07/18] Updated the attribute name for adding token --- .../src/main/scala/org/sunbird/managers/HierarchyManager.scala | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala b/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala index 5cba19d23..dbc645c56 100644 --- a/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala +++ b/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala @@ -217,7 +217,7 @@ object HierarchyManager { ResponseHandler.ERROR(ResponseCode.RESOURCE_NOT_FOUND, ResponseCode.RESOURCE_NOT_FOUND.name(), "User can't read content with Id: " + request.get("rootId")) } else { if (isSecureContent(rootHierarchy)) { - rootHierarchy.put("csJwtToken", request.get("rootId")) + rootHierarchy.put("cstoken", request.get("rootId")) } if (StringUtils.isEmpty(bookmarkId)) { From bd2be19805a207bb00549550fed27ec6b60aa0bc Mon Sep 17 00:00:00 2001 From: karthik-tarento Date: Mon, 29 May 2023 18:35:53 +0530 Subject: [PATCH 08/18] Using proper header for reading user's orgId --- .../main/scala/org/sunbird/content/actors/ContentActor.scala | 3 +-- .../content-service/app/controllers/BaseController.scala | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/content-api/content-actors/src/main/scala/org/sunbird/content/actors/ContentActor.scala b/content-api/content-actors/src/main/scala/org/sunbird/content/actors/ContentActor.scala index 77885dcb4..944b646c1 100644 --- a/content-api/content-actors/src/main/scala/org/sunbird/content/actors/ContentActor.scala +++ b/content-api/content-actors/src/main/scala/org/sunbird/content/actors/ContentActor.scala @@ -78,8 +78,7 @@ class ContentActor @Inject() (implicit oec: OntologyEngineContext, ss: StorageSe val response: Response = ResponseHandler.OK if (responseSchemaName.isEmpty) { response.put("content", metadata) - } - else { + } else { response.put(responseSchemaName, metadata) } if (StringUtils.equalsIgnoreCase(metadata.get("visibility").asInstanceOf[String],"Private")) { diff --git a/content-api/content-service/app/controllers/BaseController.scala b/content-api/content-service/app/controllers/BaseController.scala index 5377c9723..f43ae0364 100644 --- a/content-api/content-service/app/controllers/BaseController.scala +++ b/content-api/content-service/app/controllers/BaseController.scala @@ -63,7 +63,7 @@ abstract class BaseController(protected val cc: ControllerComponents)(implicit e } def commonHeaders(ignoreHeaders: Option[List[String]] = Option(List()))(implicit request: Request[AnyContent]): java.util.Map[String, Object] = { - val customHeaders = Map("x-authenticated-user-channel-id" -> "x-user-channel-id", "x-channel-id" -> "channel", "X-Consumer-ID" -> "consumerId", "X-App-Id" -> "appId").filterKeys(key => !ignoreHeaders.getOrElse(List()).contains(key)) + val customHeaders = Map("x-authenticated-user-orgid" -> "x-user-channel-id", "x-channel-id" -> "channel", "X-Consumer-ID" -> "consumerId", "X-App-Id" -> "appId").filterKeys(key => !ignoreHeaders.getOrElse(List()).contains(key)) customHeaders.map(ch => { val value = request.headers.get(ch._1) if (value.isDefined && !value.isEmpty) { From 1b1e3313347d42d13308c4519cfc0e0b378c6d40 Mon Sep 17 00:00:00 2001 From: Sreerag K S <58926794+sreeragksgh@users.noreply.github.com> Date: Mon, 29 May 2023 19:03:40 +0530 Subject: [PATCH 09/18] Content security search service enhancement (#56) * Content security search service enhancement --- .../java/org/sunbird/actors/SearchActor.java | 3 +++ .../sunbird/search/util/SearchConstants.java | 1 + .../controllers/SearchBaseController.scala | 2 +- .../app/controllers/SearchController.scala | 22 +++++++++++++++++++ search-api/search-service/conf/routes | 1 + 5 files changed, 28 insertions(+), 1 deletion(-) diff --git a/search-api/search-actors/src/main/java/org/sunbird/actors/SearchActor.java b/search-api/search-actors/src/main/java/org/sunbird/actors/SearchActor.java index 68f175363..bc3a29c60 100644 --- a/search-api/search-actors/src/main/java/org/sunbird/actors/SearchActor.java +++ b/search-api/search-actors/src/main/java/org/sunbird/actors/SearchActor.java @@ -95,6 +95,9 @@ private SearchDTO getSearchDTO(Request request) throws Exception { SearchDTO searchObj = new SearchDTO(); try { Map req = request.getRequest(); + String secureContentFlag = (String) req.get(SearchConstants.secureSettings); + if ("true".equalsIgnoreCase((String) req.get(SearchConstants.secureSettings))) + searchObj.setSecureSettings(true); TelemetryManager.log("Search Request: ", req); String queryString = (String) req.get(SearchConstants.query); int limit = getIntValue(req.get(SearchConstants.limit)); diff --git a/search-api/search-core/src/main/java/org/sunbird/search/util/SearchConstants.java b/search-api/search-core/src/main/java/org/sunbird/search/util/SearchConstants.java index 27b68a8ba..66d276168 100644 --- a/search-api/search-core/src/main/java/org/sunbird/search/util/SearchConstants.java +++ b/search-api/search-core/src/main/java/org/sunbird/search/util/SearchConstants.java @@ -114,4 +114,5 @@ public class SearchConstants { public static final String softConstraints = "softConstraints"; public static final String setDefaultVisibility = "setDefaultVisibility"; public static String soft = "soft"; + public static String secureSettings = "secureSettings"; } diff --git a/search-api/search-service/app/controllers/SearchBaseController.scala b/search-api/search-service/app/controllers/SearchBaseController.scala index 9e1735b35..ab8f8b966 100644 --- a/search-api/search-service/app/controllers/SearchBaseController.scala +++ b/search-api/search-service/app/controllers/SearchBaseController.scala @@ -25,7 +25,7 @@ abstract class SearchBaseController(protected val cc: ControllerComponents)(impl } def commonHeaders()(implicit request: Request[AnyContent]): java.util.Map[String, Object] = { - val customHeaders = Map("x-channel-id" -> "CHANNEL_ID", "x-consumer-id" -> "CONSUMER_ID", "x-app-id" -> "APP_ID", "x-session-id" -> "SESSION_ID", "x-device-id" -> "DEVICE_ID") + val customHeaders = Map("x-authenticated-user-channel-id" -> "x-user-channel-id","x-channel-id" -> "CHANNEL_ID", "x-consumer-id" -> "CONSUMER_ID", "x-app-id" -> "APP_ID", "x-session-id" -> "SESSION_ID", "x-device-id" -> "DEVICE_ID") val headers = request.headers.headers.groupBy(_._1).mapValues(_.map(_._2)) val appHeaders = headers.filter(header => customHeaders.keySet.contains(header._1.toLowerCase)) .map(entry => (customHeaders.get(entry._1.toLowerCase()).get, entry._2.head)) diff --git a/search-api/search-service/app/controllers/SearchController.scala b/search-api/search-service/app/controllers/SearchController.scala index e76bcc5e3..3c61ad660 100644 --- a/search-api/search-service/app/controllers/SearchController.scala +++ b/search-api/search-service/app/controllers/SearchController.scala @@ -37,6 +37,28 @@ class SearchController @Inject()(@Named(ActorNames.SEARCH_ACTOR) searchActor: Ac } } + def secureContentSearch() = loggingAction.async { implicit request => + val internalReq = getRequest(ApiId.APPLICATION_SEARCH) + setHeaderContext(internalReq) + val filters = internalReq.getRequest.getOrDefault(SearchConstants.filters, new java.util.HashMap()).asInstanceOf[java.util.Map[String, Object]] + val visibilityObject = filters.getOrDefault("visibility", "") + var visibility: util.List[String] = null + internalReq.put(SearchConstants.secureSettings, "true"); + if (visibilityObject != null) { + if (visibilityObject.isInstanceOf[util.ArrayList[_]]) + visibility = visibilityObject.asInstanceOf[util.ArrayList[String]] + else if (visibilityObject.isInstanceOf[String]) + visibility = util.Arrays.asList(visibilityObject.asInstanceOf[String]) + } + if (visibility.contains("Private")) { + getErrorResponse(ApiId.APPLICATION_SEARCH, apiVersion, SearchConstants.ERR_ACCESS_DENIED, "Cannot access private content through public search api") + } + else { + internalReq.getContext.put(SearchConstants.setDefaultVisibility, "true") + getResult(mgr.search(internalReq, searchActor), ApiId.APPLICATION_SEARCH) + } + } + def privateSearch() = loggingAction.async { implicit request => val internalReq = getRequest(ApiId.APPLICATION_PRIVATE_SEARCH) setHeaderContext(internalReq) diff --git a/search-api/search-service/conf/routes b/search-api/search-service/conf/routes index 44e6c9ad5..35422ed06 100644 --- a/search-api/search-service/conf/routes +++ b/search-api/search-service/conf/routes @@ -6,6 +6,7 @@ GET /service/health controllers.HealthController.serviceHealth() #POST /v2/search controllers.SearchController.search() POST /v3/search controllers.SearchController.search() +POST /v3/secureContentSearch controllers.SearchController.secureContentSearch() POST /v3/private/search controllers.SearchController.privateSearch() POST /v2/search/count controllers.SearchController.count() POST /v3/count controllers.SearchController.count() From f9e8e16d1e13062a2424c751cf2425907047d78c Mon Sep 17 00:00:00 2001 From: karthik-tarento Date: Mon, 29 May 2023 21:50:21 +0530 Subject: [PATCH 10/18] Using user channel id header only for read --- .../sunbird/content/actors/ContentActor.scala | 30 ++++++++++--------- .../app/controllers/BaseController.scala | 17 ++++++++++- .../controllers/v3/ContentController.scala | 2 +- 3 files changed, 33 insertions(+), 16 deletions(-) diff --git a/content-api/content-actors/src/main/scala/org/sunbird/content/actors/ContentActor.scala b/content-api/content-actors/src/main/scala/org/sunbird/content/actors/ContentActor.scala index 944b646c1..f8d641180 100644 --- a/content-api/content-actors/src/main/scala/org/sunbird/content/actors/ContentActor.scala +++ b/content-api/content-actors/src/main/scala/org/sunbird/content/actors/ContentActor.scala @@ -13,7 +13,7 @@ import org.sunbird.actor.core.BaseActor import org.sunbird.cache.impl.RedisCache import org.sunbird.content.util.{AcceptFlagManager, ContentConstants, CopyManager, DiscardManager, FlagManager, RetireManager} import org.sunbird.cloudstore.StorageService -import org.sunbird.common.{ContentParams, Platform, Slug} +import org.sunbird.common.{ContentParams, JsonUtils, Platform, Slug} import org.sunbird.common.dto.{Request, Response, ResponseHandler} import org.sunbird.common.exception.ClientException import org.sunbird.content.dial.DIALManager @@ -75,33 +75,35 @@ class ContentActor @Inject() (implicit oec: OntologyEngineContext, ss: StorageSe DataNode.read(request).map(node => { val metadata: util.Map[String, AnyRef] = NodeUtil.serialize(node, fields, node.getObjectType.toLowerCase.replace("image", ""), request.getContext.get("version").asInstanceOf[String]) metadata.put("identifier", node.getIdentifier.replace(".img", "")) - val response: Response = ResponseHandler.OK - if (responseSchemaName.isEmpty) { - response.put("content", metadata) - } else { - response.put(responseSchemaName, metadata) - } if (StringUtils.equalsIgnoreCase(metadata.get("visibility").asInstanceOf[String],"Private")) { throw new ClientException("ERR_ACCESS_DENIED", "content visibility is private, hence access denied") } var sa = metadata.get("secureSettings") - var securityAttribute : util.Map[String, AnyRef] = metadata.getOrDefault("secureSettings", new util.HashMap[String, AnyRef]).asInstanceOf[util.Map[String, AnyRef]] + var securityAttribute : util.Map[String, AnyRef] = new util.HashMap[String, AnyRef] + if(sa.isInstanceOf[String]) { + securityAttribute = JsonUtils.deserialize(sa.asInstanceOf[String], classOf[java.util.Map[String, AnyRef]]) + metadata.put("secureSettings", securityAttribute) + } else if (sa.isInstanceOf[util.Map[String, AnyRef]]) { + securityAttribute = metadata.getOrDefault("secureSettings", new util.HashMap[String, AnyRef]).asInstanceOf[util.Map[String, AnyRef]] + } + //var securityAttribute : util.Map[String, AnyRef] = metadata.getOrDefault("secureSettings", new util.HashMap[String, AnyRef]).asInstanceOf[util.Map[String, AnyRef]] if (MapUtils.isNotEmpty(securityAttribute)) { var orgList : util.ArrayList[String] = securityAttribute.getOrDefault("organisation", new util.ArrayList[String]).asInstanceOf[util.ArrayList[String]] if (!CollectionUtils.isEmpty(orgList)) { //Content should be read by unique org users only. var userChannelId : String = request.getRequest.getOrDefault("x-user-channel-id", "").asInstanceOf[String] - if (orgList.contains(userChannelId)) { - response - } else { + if (!orgList.contains(userChannelId)) { throw new ClientException("ERR_ACCESS_DENIED", "User is not allowed to read this content.") } - } else { - response } + } + val response: Response = ResponseHandler.OK + if (responseSchemaName.isEmpty) { + response.put("content", metadata) } else { - response + response.put(responseSchemaName, metadata) } + response }) } diff --git a/content-api/content-service/app/controllers/BaseController.scala b/content-api/content-service/app/controllers/BaseController.scala index f43ae0364..f915e9240 100644 --- a/content-api/content-service/app/controllers/BaseController.scala +++ b/content-api/content-service/app/controllers/BaseController.scala @@ -63,7 +63,7 @@ abstract class BaseController(protected val cc: ControllerComponents)(implicit e } def commonHeaders(ignoreHeaders: Option[List[String]] = Option(List()))(implicit request: Request[AnyContent]): java.util.Map[String, Object] = { - val customHeaders = Map("x-authenticated-user-orgid" -> "x-user-channel-id", "x-channel-id" -> "channel", "X-Consumer-ID" -> "consumerId", "X-App-Id" -> "appId").filterKeys(key => !ignoreHeaders.getOrElse(List()).contains(key)) + val customHeaders = Map("x-channel-id" -> "channel", "X-Consumer-ID" -> "consumerId", "X-App-Id" -> "appId").filterKeys(key => !ignoreHeaders.getOrElse(List()).contains(key)) customHeaders.map(ch => { val value = request.headers.get(ch._1) if (value.isDefined && !value.isEmpty) { @@ -209,4 +209,19 @@ abstract class BaseController(protected val cc: ControllerComponents)(implicit e Future(BadRequest(JavaJsonUtils.serialize(result)).as("application/json")) } + def commonReadHeaders(ignoreHeaders: Option[List[String]] = Option(List()))(implicit request: Request[AnyContent]): java.util.Map[String, Object] = { + val customHeaders = Map("x-authenticated-user-orgid" -> "x-user-channel-id", "x-channel-id" -> "channel", "X-Consumer-ID" -> "consumerId", "X-App-Id" -> "appId").filterKeys(key => !ignoreHeaders.getOrElse(List()).contains(key)) + customHeaders.map(ch => { + val value = request.headers.get(ch._1) + if (value.isDefined && !value.isEmpty) { + collection.mutable.HashMap[String, Object](ch._2 -> value.get).asJava + } else { + collection.mutable.HashMap[String, Object]().asJava + } + }).reduce((a, b) => { + a.putAll(b) + return a + }) + } + } diff --git a/content-api/content-service/app/controllers/v3/ContentController.scala b/content-api/content-service/app/controllers/v3/ContentController.scala index 05c5b2470..63d69d8b9 100644 --- a/content-api/content-service/app/controllers/v3/ContentController.scala +++ b/content-api/content-service/app/controllers/v3/ContentController.scala @@ -43,7 +43,7 @@ class ContentController @Inject()(@Named(ActorNames.CONTENT_ACTOR) contentActor: * @return */ def read(identifier: String, mode: Option[String], fields: Option[String]) = Action.async { implicit request => - val headers = commonHeaders() + val headers = commonReadHeaders() val content = new java.util.HashMap().asInstanceOf[java.util.Map[String, Object]] content.putAll(headers) content.putAll(Map("identifier" -> identifier, "mode" -> mode.getOrElse("read"), "fields" -> fields.getOrElse("")).asJava) From 821fe63d6e05d51140f9cd4c6bc807d15350b0b5 Mon Sep 17 00:00:00 2001 From: karthik-tarento Date: Tue, 30 May 2023 11:40:11 +0530 Subject: [PATCH 11/18] Added logic to generate jwt token --- .../controllers/v3/ContentController.scala | 2 +- content-api/hierarchy-manager/pom.xml | 5 + .../sunbird/managers/HierarchyManager.scala | 14 +- platform-core/auth-verifier/pom.xml | 93 +++ .../org/sunbird/auth/verifier/Base64Util.java | 741 ++++++++++++++++++ .../org/sunbird/auth/verifier/CryptoUtil.java | 41 + .../org/sunbird/auth/verifier/JWTUtil.java | 56 ++ .../sunbird/auth/verifier/JWTokenType.java | 22 + .../org/sunbird/auth/verifier/KeyData.java | 40 + .../org/sunbird/auth/verifier/KeyManager.java | 97 +++ .../auth/verifier/PropertiesCache.java | 97 +++ .../sunbird/auth/verifier/KeyManagerTest.java | 26 + platform-core/pom.xml | 1 + 13 files changed, 1232 insertions(+), 3 deletions(-) create mode 100644 platform-core/auth-verifier/pom.xml create mode 100644 platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/Base64Util.java create mode 100644 platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/CryptoUtil.java create mode 100644 platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/JWTUtil.java create mode 100644 platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/JWTokenType.java create mode 100644 platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/KeyData.java create mode 100644 platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/KeyManager.java create mode 100644 platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/PropertiesCache.java create mode 100644 platform-core/auth-verifier/src/test/java/org/sunbird/auth/verifier/KeyManagerTest.java diff --git a/content-api/content-service/app/controllers/v3/ContentController.scala b/content-api/content-service/app/controllers/v3/ContentController.scala index 63d69d8b9..a5c73c51a 100644 --- a/content-api/content-service/app/controllers/v3/ContentController.scala +++ b/content-api/content-service/app/controllers/v3/ContentController.scala @@ -94,7 +94,7 @@ class ContentController @Inject()(@Named(ActorNames.CONTENT_ACTOR) contentActor: } def getHierarchy(identifier: String, mode: Option[String]) = Action.async { implicit request => - val headers = commonHeaders() + val headers = commonReadHeaders() val content = new java.util.HashMap().asInstanceOf[java.util.Map[String, Object]] content.putAll(headers) content.putAll(Map("rootId" -> identifier, "mode" -> mode.getOrElse("")).asJava) diff --git a/content-api/hierarchy-manager/pom.xml b/content-api/hierarchy-manager/pom.xml index 828dac9fc..3ef8d21c8 100644 --- a/content-api/hierarchy-manager/pom.xml +++ b/content-api/hierarchy-manager/pom.xml @@ -12,6 +12,11 @@ hierarchy-manager + + org.sunbird + auth-verifier + 1.0-SNAPSHOT + org.sunbird graph-engine_2.11 diff --git a/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala b/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala index dbc645c56..7cdc626dd 100644 --- a/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala +++ b/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala @@ -4,6 +4,7 @@ import java.util import java.util.concurrent.CompletionException import com.fasterxml.jackson.databind.ObjectMapper import org.apache.commons.lang3.StringUtils +import org.sunbird.auth.verifier.JWTUtil import org.sunbird.cache.impl.RedisCache import org.sunbird.common.dto.{Request, Response, ResponseHandler, ResponseParams} import org.sunbird.common.exception.{ClientException, ErrorCodes, ResourceNotFoundException, ResponseCode, ServerException} @@ -217,9 +218,10 @@ object HierarchyManager { ResponseHandler.ERROR(ResponseCode.RESOURCE_NOT_FOUND, ResponseCode.RESOURCE_NOT_FOUND.name(), "User can't read content with Id: " + request.get("rootId")) } else { if (isSecureContent(rootHierarchy)) { - rootHierarchy.put("cstoken", request.get("rootId")) + val csToken = generateCSToken(rootHierarchy.get("childNodes").asInstanceOf[util.List[String]]) + rootHierarchy.put("cstoken", csToken) } - + if (StringUtils.isEmpty(bookmarkId)) { ResponseHandler.OK.put("content", rootHierarchy) } else { @@ -751,4 +753,12 @@ object HierarchyManager { } isUserAllowedToRead } + + def generateCSToken(children: util.List[String])(implicit ec: ExecutionContext): String = { + var csToken = ""; + var claimsMap : util.Map[String, AnyRef] = new util.HashMap[String, AnyRef] + claimsMap.put("contentIdentifier", children) + csToken = JWTUtil.createRS256Token(claimsMap) + csToken + } } diff --git a/platform-core/auth-verifier/pom.xml b/platform-core/auth-verifier/pom.xml new file mode 100644 index 000000000..196b91bde --- /dev/null +++ b/platform-core/auth-verifier/pom.xml @@ -0,0 +1,93 @@ + + + + platform-core + org.sunbird + 1.0-SNAPSHOT + + 4.0.0 + + auth-verifier + + + + com.fasterxml.jackson.core + jackson-core + ${fasterxml.jackson.version} + + + org.sunbird + common-util + 0.0.1-SNAPSHOT + + + org.sunbird + platform-telemetry + 1.0-SNAPSHOT + jar + + + org.mockito + mockito-core + ${mockito.core.version} + test + + + org.powermock + powermock-api-mockito2 + ${powermock.api.mockito2.version} + test + + + org.powermock + powermock-module-junit4 + ${powermock.module.junit4.version} + test + + + ch.qos.logback + logback-classic + 1.2.3 + + + net.logstash.logback + logstash-logback-encoder + 6.3 + + + + + + + org.apache.maven.plugins + maven-compiler-plugin + 3.8.1 + + 11 + + + + org.jacoco + jacoco-maven-plugin + 0.8.5 + + + default-prepare-agent + + prepare-agent + + + + default-report + prepare-package + + report + + + + + + + \ No newline at end of file diff --git a/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/Base64Util.java b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/Base64Util.java new file mode 100644 index 000000000..619330d24 --- /dev/null +++ b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/Base64Util.java @@ -0,0 +1,741 @@ +package org.sunbird.auth.verifier; + +/* + * Copyright (C) 2010 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +import java.io.UnsupportedEncodingException; + +/** + * Utilities for encoding and decoding the Base64 representation of + * binary data. See RFCs 2045 and 3548. + */ +public class Base64Util { + /** + * Default values for encoder/decoder flags. + */ + public static final int DEFAULT = 0; + + /** + * Encoder flag bit to omit the padding '=' characters at the end + * of the output (if any). + */ + public static final int NO_PADDING = 1; + + /** + * Encoder flag bit to omit all line terminators (i.e., the output + * will be on one long line). + */ + public static final int NO_WRAP = 2; + + /** + * Encoder flag bit to indicate lines should be terminated with a + * CRLF pair instead of just an LF. Has no effect if {@code + * NO_WRAP} is specified as well. + */ + public static final int CRLF = 4; + + /** + * Encoder/decoder flag bit to indicate using the "URL and + * filename safe" variant of Base64 (see RFC 3548 section 4) where + * {@code -} and {@code _} are used in place of {@code +} and + * {@code /}. + */ + public static final int URL_SAFE = 8; + + /** + * Flag to pass to {Base64OutputStream} to indicate that it + * should not close the output stream it is wrapping when it + * itself is closed. + */ + public static final int NO_CLOSE = 16; + + // -------------------------------------------------------- + // shared code + // -------------------------------------------------------- + + private Base64Util() { + } // don't instantiate + + // -------------------------------------------------------- + // decoding + // -------------------------------------------------------- + + /** + * Decode the Base64-encoded data in input and return the data in + * a new byte array. + *

+ *

The padding '=' characters at the end are considered optional, but + * if any are present, there must be the correct number of them. + * + * @param str the input String to decode, which is converted to + * bytes using the default charset + * @param flags controls certain features of the decoded output. + * Pass {@code DEFAULT} to decode standard Base64. + * @throws IllegalArgumentException if the input contains + * incorrect padding + */ + public static byte[] decode(String str, int flags) { + return decode(str.getBytes(), flags); + } + + /** + * Decode the Base64-encoded data in input and return the data in + * a new byte array. + *

+ *

The padding '=' characters at the end are considered optional, but + * if any are present, there must be the correct number of them. + * + * @param input the input array to decode + * @param flags controls certain features of the decoded output. + * Pass {@code DEFAULT} to decode standard Base64. + * @throws IllegalArgumentException if the input contains + * incorrect padding + */ + public static byte[] decode(byte[] input, int flags) { + return decode(input, 0, input.length, flags); + } + + /** + * Decode the Base64-encoded data in input and return the data in + * a new byte array. + *

+ *

The padding '=' characters at the end are considered optional, but + * if any are present, there must be the correct number of them. + * + * @param input the data to decode + * @param offset the position within the input array at which to start + * @param len the number of bytes of input to decode + * @param flags controls certain features of the decoded output. + * Pass {@code DEFAULT} to decode standard Base64. + * @throws IllegalArgumentException if the input contains + * incorrect padding + */ + public static byte[] decode(byte[] input, int offset, int len, int flags) { + // Allocate space for the most data the input could represent. + // (It could contain less if it contains whitespace, etc.) + Decoder decoder = new Decoder(flags, new byte[len * 3 / 4]); + + if (!decoder.process(input, offset, len, true)) { + throw new IllegalArgumentException("bad base-64"); + } + + // Maybe we got lucky and allocated exactly enough output space. + if (decoder.op == decoder.output.length) { + return decoder.output; + } + + // Need to shorten the array, so allocate a new one of the + // right size and copy. + byte[] temp = new byte[decoder.op]; + System.arraycopy(decoder.output, 0, temp, 0, decoder.op); + return temp; + } + + /** + * Base64-encode the given data and return a newly allocated + * String with the result. + * + * @param input the data to encode + * @param flags controls certain features of the encoded output. + * Passing {@code DEFAULT} results in output that + * adheres to RFC 2045. + */ + public static String encodeToString(byte[] input, int flags) { + try { + return new String(encode(input, flags), "US-ASCII"); + } catch (UnsupportedEncodingException e) { + // US-ASCII is guaranteed to be available. + throw new AssertionError(e); + } + } + + // -------------------------------------------------------- + // encoding + // -------------------------------------------------------- + + /** + * Base64-encode the given data and return a newly allocated + * String with the result. + * + * @param input the data to encode + * @param offset the position within the input array at which to + * start + * @param len the number of bytes of input to encode + * @param flags controls certain features of the encoded output. + * Passing {@code DEFAULT} results in output that + * adheres to RFC 2045. + */ + public static String encodeToString(byte[] input, int offset, int len, int flags) { + try { + return new String(encode(input, offset, len, flags), "US-ASCII"); + } catch (UnsupportedEncodingException e) { + // US-ASCII is guaranteed to be available. + throw new AssertionError(e); + } + } + + /** + * Base64-encode the given data and return a newly allocated + * byte[] with the result. + * + * @param input the data to encode + * @param flags controls certain features of the encoded output. + * Passing {@code DEFAULT} results in output that + * adheres to RFC 2045. + */ + public static byte[] encode(byte[] input, int flags) { + return encode(input, 0, input.length, flags); + } + + /** + * Base64-encode the given data and return a newly allocated + * byte[] with the result. + * + * @param input the data to encode + * @param offset the position within the input array at which to + * start + * @param len the number of bytes of input to encode + * @param flags controls certain features of the encoded output. + * Passing {@code DEFAULT} results in output that + * adheres to RFC 2045. + */ + public static byte[] encode(byte[] input, int offset, int len, int flags) { + Encoder encoder = new Encoder(flags, null); + + // Compute the exact length of the array we will produce. + int output_len = len / 3 * 4; + + // Account for the tail of the data and the padding bytes, if any. + if (encoder.do_padding) { + if (len % 3 > 0) { + output_len += 4; + } + } else { + switch (len % 3) { + case 0: + break; + case 1: + output_len += 2; + break; + case 2: + output_len += 3; + break; + } + } + + // Account for the newlines, if any. + if (encoder.do_newline && len > 0) { + output_len += (((len - 1) / (3 * Encoder.LINE_GROUPS)) + 1) * + (encoder.do_cr ? 2 : 1); + } + + encoder.output = new byte[output_len]; + encoder.process(input, offset, len, true); + + assert encoder.op == output_len; + + return encoder.output; + } + + /* package */ static abstract class Coder { + public byte[] output; + public int op; + + /** + * Encode/decode another block of input data. this.output is + * provided by the caller, and must be big enough to hold all + * the coded data. On exit, this.opwill be set to the length + * of the coded data. + * + * @param finish true if this is the final call to process for + * this object. Will finalize the coder state and + * include any final bytes in the output. + * @return true if the input so far is good; false if some + * error has been detected in the input stream.. + */ + public abstract boolean process(byte[] input, int offset, int len, boolean finish); + + /** + * @return the maximum number of bytes a call to process() + * could produce for the given number of input bytes. This may + * be an overestimate. + */ + public abstract int maxOutputSize(int len); + } + + /* package */ static class Decoder extends Coder { + /** + * Lookup table for turning bytes into their position in the + * Base64 alphabet. + */ + private static final int DECODE[] = { + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63, + 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -2, -1, -1, + -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, + 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1, + -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, + 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + }; + + /** + * Decode lookup table for the "web safe" variant (RFC 3548 + * sec. 4) where - and _ replace + and /. + */ + private static final int DECODE_WEBSAFE[] = { + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, + 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -2, -1, -1, + -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, + 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, 63, + -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, + 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + }; + + /** + * Non-data values in the DECODE arrays. + */ + private static final int SKIP = -1; + private static final int EQUALS = -2; + final private int[] alphabet; + /** + * States 0-3 are reading through the next input tuple. + * State 4 is having read one '=' and expecting exactly + * one more. + * State 5 is expecting no more data or padding characters + * in the input. + * State 6 is the error state; an error has been detected + * in the input and no future input can "fix" it. + */ + private int state; // state number (0 to 6) + private int value; + + public Decoder(int flags, byte[] output) { + this.output = output; + + alphabet = ((flags & URL_SAFE) == 0) ? DECODE : DECODE_WEBSAFE; + state = 0; + value = 0; + } + + /** + * @return an overestimate for the number of bytes {@code + * len} bytes could decode to. + */ + public int maxOutputSize(int len) { + return len * 3 / 4 + 10; + } + + /** + * Decode another block of input data. + * + * @return true if the state machine is still healthy. false if + * bad base-64 data has been detected in the input stream. + */ + public boolean process(byte[] input, int offset, int len, boolean finish) { + if (this.state == 6) return false; + + int p = offset; + len += offset; + + // Using local variables makes the decoder about 12% + // faster than if we manipulate the member variables in + // the loop. (Even alphabet makes a measurable + // difference, which is somewhat surprising to me since + // the member variable is final.) + int state = this.state; + int value = this.value; + int op = 0; + final byte[] output = this.output; + final int[] alphabet = this.alphabet; + + while (p < len) { + // Try the fast path: we're starting a new tuple and the + // next four bytes of the input stream are all data + // bytes. This corresponds to going through states + // 0-1-2-3-0. We expect to use this method for most of + // the data. + // + // If any of the next four bytes of input are non-data + // (whitespace, etc.), value will end up negative. (All + // the non-data values in decode are small negative + // numbers, so shifting any of them up and or'ing them + // together will result in a value with its top bit set.) + // + // You can remove this whole block and the output should + // be the same, just slower. + if (state == 0) { + while (p + 4 <= len && + (value = ((alphabet[input[p] & 0xff] << 18) | + (alphabet[input[p + 1] & 0xff] << 12) | + (alphabet[input[p + 2] & 0xff] << 6) | + (alphabet[input[p + 3] & 0xff]))) >= 0) { + output[op + 2] = (byte) value; + output[op + 1] = (byte) (value >> 8); + output[op] = (byte) (value >> 16); + op += 3; + p += 4; + } + if (p >= len) break; + } + + // The fast path isn't available -- either we've read a + // partial tuple, or the next four input bytes aren't all + // data, or whatever. Fall back to the slower state + // machine implementation. + + int d = alphabet[input[p++] & 0xff]; + + switch (state) { + case 0: + if (d >= 0) { + value = d; + ++state; + } else if (d != SKIP) { + this.state = 6; + return false; + } + break; + + case 1: + if (d >= 0) { + value = (value << 6) | d; + ++state; + } else if (d != SKIP) { + this.state = 6; + return false; + } + break; + + case 2: + if (d >= 0) { + value = (value << 6) | d; + ++state; + } else if (d == EQUALS) { + // Emit the last (partial) output tuple; + // expect exactly one more padding character. + output[op++] = (byte) (value >> 4); + state = 4; + } else if (d != SKIP) { + this.state = 6; + return false; + } + break; + + case 3: + if (d >= 0) { + // Emit the output triple and return to state 0. + value = (value << 6) | d; + output[op + 2] = (byte) value; + output[op + 1] = (byte) (value >> 8); + output[op] = (byte) (value >> 16); + op += 3; + state = 0; + } else if (d == EQUALS) { + // Emit the last (partial) output tuple; + // expect no further data or padding characters. + output[op + 1] = (byte) (value >> 2); + output[op] = (byte) (value >> 10); + op += 2; + state = 5; + } else if (d != SKIP) { + this.state = 6; + return false; + } + break; + + case 4: + if (d == EQUALS) { + ++state; + } else if (d != SKIP) { + this.state = 6; + return false; + } + break; + + case 5: + if (d != SKIP) { + this.state = 6; + return false; + } + break; + } + } + + if (!finish) { + // We're out of input, but a future call could provide + // more. + this.state = state; + this.value = value; + this.op = op; + return true; + } + + // Done reading input. Now figure out where we are left in + // the state machine and finish up. + + switch (state) { + case 0: + // Output length is a multiple of three. Fine. + break; + case 1: + // Read one extra input byte, which isn't enough to + // make another output byte. Illegal. + this.state = 6; + return false; + case 2: + // Read two extra input bytes, enough to emit 1 more + // output byte. Fine. + output[op++] = (byte) (value >> 4); + break; + case 3: + // Read three extra input bytes, enough to emit 2 more + // output bytes. Fine. + output[op++] = (byte) (value >> 10); + output[op++] = (byte) (value >> 2); + break; + case 4: + // Read one padding '=' when we expected 2. Illegal. + this.state = 6; + return false; + case 5: + // Read all the padding '='s we expected and no more. + // Fine. + break; + } + + this.state = state; + this.op = op; + return true; + } + } + + /* package */ static class Encoder extends Coder { + /** + * Emit a new line every this many output tuples. Corresponds to + * a 76-character line length (the maximum allowable according to + * RFC 2045). + */ + public static final int LINE_GROUPS = 19; + + /** + * Lookup table for turning Base64 alphabet positions (6 bits) + * into output bytes. + */ + private static final byte ENCODE[] = { + 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', + 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', + 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', + 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '+', '/', + }; + + /** + * Lookup table for turning Base64 alphabet positions (6 bits) + * into output bytes. + */ + private static final byte ENCODE_WEBSAFE[] = { + 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', + 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', + 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', + 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '-', '_', + }; + final public boolean do_padding; + final public boolean do_newline; + final public boolean do_cr; + final private byte[] tail; + final private byte[] alphabet; + /* package */ int tailLen; + private int count; + + public Encoder(int flags, byte[] output) { + this.output = output; + + do_padding = (flags & NO_PADDING) == 0; + do_newline = (flags & NO_WRAP) == 0; + do_cr = (flags & CRLF) != 0; + alphabet = ((flags & URL_SAFE) == 0) ? ENCODE : ENCODE_WEBSAFE; + + tail = new byte[2]; + tailLen = 0; + + count = do_newline ? LINE_GROUPS : -1; + } + + /** + * @return an overestimate for the number of bytes {@code + * len} bytes could encode to. + */ + public int maxOutputSize(int len) { + return len * 8 / 5 + 10; + } + + public boolean process(byte[] input, int offset, int len, boolean finish) { + // Using local variables makes the encoder about 9% faster. + final byte[] alphabet = this.alphabet; + final byte[] output = this.output; + int op = 0; + int count = this.count; + + int p = offset; + len += offset; + int v = -1; + + // First we need to concatenate the tail of the previous call + // with any input bytes available now and see if we can empty + // the tail. + + switch (tailLen) { + case 0: + // There was no tail. + break; + + case 1: + if (p + 2 <= len) { + // A 1-byte tail with at least 2 bytes of + // input available now. + v = ((tail[0] & 0xff) << 16) | + ((input[p++] & 0xff) << 8) | + (input[p++] & 0xff); + tailLen = 0; + } + ; + break; + + case 2: + if (p + 1 <= len) { + // A 2-byte tail with at least 1 byte of input. + v = ((tail[0] & 0xff) << 16) | + ((tail[1] & 0xff) << 8) | + (input[p++] & 0xff); + tailLen = 0; + } + break; + } + + if (v != -1) { + output[op++] = alphabet[(v >> 18) & 0x3f]; + output[op++] = alphabet[(v >> 12) & 0x3f]; + output[op++] = alphabet[(v >> 6) & 0x3f]; + output[op++] = alphabet[v & 0x3f]; + if (--count == 0) { + if (do_cr) output[op++] = '\r'; + output[op++] = '\n'; + count = LINE_GROUPS; + } + } + + // At this point either there is no tail, or there are fewer + // than 3 bytes of input available. + + // The main loop, turning 3 input bytes into 4 output bytes on + // each iteration. + while (p + 3 <= len) { + v = ((input[p] & 0xff) << 16) | + ((input[p + 1] & 0xff) << 8) | + (input[p + 2] & 0xff); + output[op] = alphabet[(v >> 18) & 0x3f]; + output[op + 1] = alphabet[(v >> 12) & 0x3f]; + output[op + 2] = alphabet[(v >> 6) & 0x3f]; + output[op + 3] = alphabet[v & 0x3f]; + p += 3; + op += 4; + if (--count == 0) { + if (do_cr) output[op++] = '\r'; + output[op++] = '\n'; + count = LINE_GROUPS; + } + } + + if (finish) { + // Finish up the tail of the input. Note that we need to + // consume any bytes in tail before any bytes + // remaining in input; there should be at most two bytes + // total. + + if (p - tailLen == len - 1) { + int t = 0; + v = ((tailLen > 0 ? tail[t++] : input[p++]) & 0xff) << 4; + tailLen -= t; + output[op++] = alphabet[(v >> 6) & 0x3f]; + output[op++] = alphabet[v & 0x3f]; + if (do_padding) { + output[op++] = '='; + output[op++] = '='; + } + if (do_newline) { + if (do_cr) output[op++] = '\r'; + output[op++] = '\n'; + } + } else if (p - tailLen == len - 2) { + int t = 0; + v = (((tailLen > 1 ? tail[t++] : input[p++]) & 0xff) << 10) | + (((tailLen > 0 ? tail[t++] : input[p++]) & 0xff) << 2); + tailLen -= t; + output[op++] = alphabet[(v >> 12) & 0x3f]; + output[op++] = alphabet[(v >> 6) & 0x3f]; + output[op++] = alphabet[v & 0x3f]; + if (do_padding) { + output[op++] = '='; + } + if (do_newline) { + if (do_cr) output[op++] = '\r'; + output[op++] = '\n'; + } + } else if (do_newline && op > 0 && count != LINE_GROUPS) { + if (do_cr) output[op++] = '\r'; + output[op++] = '\n'; + } + + assert tailLen == 0; + assert p == len; + } else { + // Save the leftovers in tail to be consumed on the next + // call to encodeInternal. + + if (p == len - 1) { + tail[tailLen++] = input[p]; + } else if (p == len - 2) { + tail[tailLen++] = input[p]; + tail[tailLen++] = input[p + 1]; + } + } + + this.op = op; + this.count = count; + + return true; + } + } +} diff --git a/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/CryptoUtil.java b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/CryptoUtil.java new file mode 100644 index 000000000..a961f91b2 --- /dev/null +++ b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/CryptoUtil.java @@ -0,0 +1,41 @@ +package org.sunbird.auth.verifier; + +import java.nio.charset.Charset; +import java.security.*; +import org.sunbird.telemetry.logger.TelemetryManager; + + +public class CryptoUtil { + private static final Charset US_ASCII = Charset.forName("US-ASCII"); + + public static boolean verifyRSASign(String payLoad, byte[] signature, PublicKey key, String algorithm) { + Signature sign; + try { + sign = Signature.getInstance(algorithm); + sign.initVerify(key); + sign.update(payLoad.getBytes(US_ASCII)); + return sign.verify(signature); + } catch (NoSuchAlgorithmException e) { + return false; + } catch (InvalidKeyException e){ + return false; + } catch (SignatureException e){ + return false; + } + } + + public static byte[] generateRSASign(String payLoad, PrivateKey key, String algorithm) { + Signature sign; + byte[] signature; + try { + sign = Signature.getInstance(algorithm); + sign.initSign(key); + sign.update(payLoad.getBytes(US_ASCII)); + signature = sign.sign(); + } catch (NoSuchAlgorithmException | InvalidKeyException | SignatureException e) { + TelemetryManager.error("CryptoUtil:generateRSASign :: failed to generate signature. Exception: ", e); + return null; + } + return signature; + } +} diff --git a/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/JWTUtil.java b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/JWTUtil.java new file mode 100644 index 000000000..788358a63 --- /dev/null +++ b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/JWTUtil.java @@ -0,0 +1,56 @@ +package org.sunbird.auth.verifier; + +import org.sunbird.common.JsonUtils; +import org.sunbird.telemetry.logger.TelemetryManager; + +import java.util.HashMap; +import java.util.Map; + +public class JWTUtil { + private static String SEPARATOR = "."; + + public static String createRS256Token(Map claimsMap) { + String token = ""; + JWTokenType tokenType = JWTokenType.RS256; + try { + KeyData keyData = KeyManager.getRandomKey(); + if(keyData != null) { + Map headerOptions = createHeaderOptions(keyData.getKeyId()); + String payLoad = createHeader(tokenType, headerOptions) + SEPARATOR + createClaimsMap(claimsMap); + String signature = encodeToBase64Uri(CryptoUtil.generateRSASign(payLoad, keyData.getPrivateKey(), tokenType.getAlgorithmName())); + token = payLoad + SEPARATOR + signature; + } else { + TelemetryManager.error("JWTUtil.createRS256Token :: KeyManager is not initialized properly."); + } + } catch (Exception e) { + TelemetryManager.error("JWTUtil.createRS256Token :: Failed to create RS256 token. Exception: ", e); + } + return token; + } + + private static String createHeader(JWTokenType tokenType, Map headerOptions) throws Exception { + Map headerData = new HashMap<>(); + if (headerOptions != null) + headerData.putAll(headerOptions); + headerData.put("alg", tokenType.getTokenType()); + return encodeToBase64Uri(JsonUtils.serialize(headerData).getBytes()); + } + + private static Map createHeaderOptions(String keyId) { + Map headers = new HashMap<>(); + headers.put("kid", keyId); + return headers; + } + + private static String createClaimsMap(Map claimsMap) throws Exception { + Map payloadData = new HashMap<>(); + if(claimsMap != null && claimsMap.size() > 0) { + payloadData.putAll(claimsMap); + } + return encodeToBase64Uri(JsonUtils.serialize(payloadData).getBytes()); + } + + private static String encodeToBase64Uri(byte[] data) { + return Base64Util.encodeToString(data, 11); + } +} diff --git a/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/JWTokenType.java b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/JWTokenType.java new file mode 100644 index 000000000..0632e084d --- /dev/null +++ b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/JWTokenType.java @@ -0,0 +1,22 @@ +package org.sunbird.auth.verifier; + +public enum JWTokenType { + HS256("HS256", "HmacSHA256"), + RS256("RS256", "SHA256withRSA"); + + private String algorithmName; + private String tokenType; + + JWTokenType(String tokenType, String algorithmName) { + this.algorithmName = algorithmName; + this.tokenType = tokenType; + } + + public String getAlgorithmName() { + return algorithmName; + } + + public String getTokenType() { + return tokenType; + } +} diff --git a/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/KeyData.java b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/KeyData.java new file mode 100644 index 000000000..6028025f7 --- /dev/null +++ b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/KeyData.java @@ -0,0 +1,40 @@ +package org.sunbird.auth.verifier; + +import java.security.PrivateKey; +import java.security.PublicKey; + +public class KeyData { + private String keyId; + private PrivateKey privateKey; + private PublicKey publicKey; + + public KeyData(String keyId, PublicKey publicKey, PrivateKey privateKey) { + this.keyId = keyId; + this.publicKey = publicKey; + this.privateKey = privateKey; + } + + public String getKeyId() { + return keyId; + } + + public void setKeyId(String keyId) { + this.keyId = keyId; + } + + public PublicKey getPublicKey() { + return publicKey; + } + + public void setPublicKey(PublicKey publicKey) { + this.publicKey = publicKey; + } + + public PrivateKey getPrivateKey() { + return privateKey; + } + + public void setPrivateKey(PrivateKey privateKey) { + this.privateKey = privateKey; + } +} diff --git a/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/KeyManager.java b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/KeyManager.java new file mode 100644 index 000000000..61eac0da5 --- /dev/null +++ b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/KeyManager.java @@ -0,0 +1,97 @@ +package org.sunbird.auth.verifier; + +import java.util.Map; +import org.sunbird.telemetry.logger.TelemetryManager; + +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.security.KeyFactory; +import java.security.PublicKey; +import java.security.PrivateKey; +import java.security.spec.PKCS8EncodedKeySpec; +import java.security.spec.X509EncodedKeySpec; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Random; +import java.util.Map; +import java.util.stream.Collectors; +import java.util.stream.Stream; + +public class KeyManager { + public static final String ACCESS_TOKEN_PUBLICKEY_BASEPATH = "accesstoken_privatekey_basepath"; + + private static PropertiesCache propertiesCache = PropertiesCache.getInstance(); + private static Map keyMap = new HashMap(); + + public static void init() { + TelemetryManager.info("KeyManager:init :: Starting initialization..."); + String basePath = propertiesCache.getProperty(ACCESS_TOKEN_PUBLICKEY_BASEPATH); + try (Stream walk = Files.walk(Paths.get(basePath))) { + List result = + walk.filter(Files::isRegularFile).map(x -> x.toString()).collect(Collectors.toList()); + result.forEach( + file -> { + try { + StringBuilder contentBuilder = new StringBuilder(); + Path path = Paths.get(file); + Files.lines(path, StandardCharsets.UTF_8) + .forEach( + x -> { + contentBuilder.append(x); + }); + KeyData keyData = + new KeyData( + path.getFileName().toString(), null, loadPrivateKey(contentBuilder.toString())); + keyMap.put(path.getFileName().toString(), keyData); + } catch (Exception e) { + TelemetryManager.error("KeyManager:init: exception in reading public keys ", e); + } + }); + } catch (Exception e) { + TelemetryManager.error("KeyManager:init: exception in loading publickeys ", e); + } + } + + public static KeyData getRandomKey() { + if (keyMap.size() == 0) { + init(); + } + if (keyMap.size() > 0) { + Random random = new Random(); + List keys = new ArrayList(keyMap.keySet()); + String randomKey = keys.get(random.nextInt(keys.size())); + return keyMap.get(randomKey); + } + return null; + } + + public static PublicKey loadPublicKey(String key) throws Exception { + String publicKey = new String(key.getBytes(), StandardCharsets.UTF_8); + publicKey = publicKey.replaceAll("(-+BEGIN PUBLIC KEY-+)", ""); + publicKey = publicKey.replaceAll("(-+END PUBLIC KEY-+)", ""); + publicKey = publicKey.replaceAll("[\\r\\n]+", ""); + byte[] keyBytes = Base64Util.decode(publicKey.getBytes("UTF-8"), Base64Util.DEFAULT); + + X509EncodedKeySpec X509publicKey = new X509EncodedKeySpec(keyBytes); + KeyFactory kf = KeyFactory.getInstance("RSA"); + return kf.generatePublic(X509publicKey); + } + + private static PrivateKey loadPrivateKey(String key) throws Exception { + String privateKey = new String(key.getBytes(), StandardCharsets.UTF_8); + privateKey = privateKey.replaceAll("(-+BEGIN RSA PRIVATE KEY-+)", ""); + privateKey = privateKey.replaceAll("(-+END RSA PRIVATE KEY-+)", ""); + privateKey = privateKey.replaceAll("(-+BEGIN PRIVATE KEY-+)", ""); + privateKey = privateKey.replaceAll("(-+END PRIVATE KEY-+)", ""); + publicKey = publicKey.replaceAll("[\\r\\n]+", ""); + byte[] keyBytes = Base64Util.decode(privateKey.getBytes("UTF-8"), Base64Util.DEFAULT); + + // generate private key + PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(keyBytes); + KeyFactory keyFactory = KeyFactory.getInstance("RSA"); + return keyFactory.generatePrivate(spec); + } +} diff --git a/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/PropertiesCache.java b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/PropertiesCache.java new file mode 100644 index 000000000..79d143f6a --- /dev/null +++ b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/PropertiesCache.java @@ -0,0 +1,97 @@ +package org.sunbird.auth.verifier; + +import java.io.IOException; +import java.io.InputStream; +import java.util.Map; +import java.util.Properties; +import java.util.concurrent.ConcurrentHashMap; +import org.apache.commons.lang3.StringUtils; + +import org.sunbird.telemetry.logger.TelemetryManager; + + +/* + * @author Amit Kumar + * + * this class is used for reading properties file + */ +public class PropertiesCache { + + private final String[] fileName = { + "externalresource.properties" + }; + private final Properties configProp = new Properties(); + public final Map attributePercentageMap = new ConcurrentHashMap<>(); + private static PropertiesCache propertiesCache = null; + + /** private default constructor */ + private PropertiesCache() { + for (String file : fileName) { + InputStream in = this.getClass().getClassLoader().getResourceAsStream(file); + try { + configProp.load(in); + } catch (IOException e) { + TelemetryManager.error("Error in properties cache", e); + } + } + loadWeighted(); + } + + public static PropertiesCache getInstance() { + + // change the lazy holder implementation to simple singleton implementation ... + if (null == propertiesCache) { + synchronized (PropertiesCache.class) { + if (null == propertiesCache) { + propertiesCache = new PropertiesCache(); + } + } + } + + return propertiesCache; + } + + public void saveConfigProperty(String key, String value) { + configProp.setProperty(key, value); + } + + public String getProperty(String key) { + String value = System.getenv(key); + if (StringUtils.isNotBlank(value)) return value; + return configProp.getProperty(key) != null ? configProp.getProperty(key) : key; + } + + private void loadWeighted() { + String key = configProp.getProperty("user.profile.attribute"); + String value = configProp.getProperty("user.profile.weighted"); + if (StringUtils.isBlank(key)) { + TelemetryManager.info("Profile completeness value is not set"); + } else { + String keys[] = key.split(","); + String values[] = value.split(","); + if (keys.length == value.length()) { + // then take the value from user + TelemetryManager.log("weighted value is provided by user."); + for (int i = 0; i < keys.length; i++) + attributePercentageMap.put(keys[i], new Float(values[i])); + } else { + // equally divide all the provided field. + TelemetryManager.log("weighted value is not provided by user."); + float perc = (float) 100.0 / keys.length; + for (int i = 0; i < keys.length; i++) attributePercentageMap.put(keys[i], perc); + } + } + } + + /** + * Method to read value from resource file . + * + * @param key + * @return + */ + public String readProperty(String key) { + String value = System.getenv(key); + if (StringUtils.isNotBlank(value)) return value; + return configProp.getProperty(key); + } +} \ No newline at end of file diff --git a/platform-core/auth-verifier/src/test/java/org/sunbird/auth/verifier/KeyManagerTest.java b/platform-core/auth-verifier/src/test/java/org/sunbird/auth/verifier/KeyManagerTest.java new file mode 100644 index 000000000..245fa563c --- /dev/null +++ b/platform-core/auth-verifier/src/test/java/org/sunbird/auth/verifier/KeyManagerTest.java @@ -0,0 +1,26 @@ +package org.sunbird.auth.verifier; + +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertNull; + +import java.security.PublicKey; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.powermock.core.classloader.annotations.PowerMockIgnore; +import org.powermock.core.classloader.annotations.PrepareForTest; +import org.powermock.modules.junit4.PowerMockRunner; +import org.sunbird.common.models.util.PropertiesCache; + +@RunWith(PowerMockRunner.class) +@PrepareForTest({PropertiesCache.class}) +@PowerMockIgnore({"javax.management.*"}) +public class KeyManagerTest { + + @Test + public void testLoadPublicKey() throws Exception { + PublicKey key = + KeyManager.loadPublicKey( + "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAysH/wWtg0IjBL1JZZDYvUJC42JCxVobalckr2/3d3eEiWkk7Zh/4DAPYOs4UPjAevTs5VMUjq9EZu/u4H5hNzoVmYNvhtxbhWNY3n4mxpA4Lgt4sNGiGYNNGrN34ML+7+TR3Z1dlrhA271PiuanHI11YymskQRPhBfuwK923Kl/lgI4rS9OQ4GnkvwkUPvMUIRfNt8wL9uTbWm3V9p8VTcmQbW+pPw9QhO9v95NOgXQrLnT8xwnzQE6UCTY2al3B0fc3ULmcxvK+7P1R3/0w1qJLEKSiHl0xnv4WNEfS+2UmN+8jfdSCfoyVIglQl5/tb05j89nfZZp8k24AWLxIJQIDAQAB"); + assertNotNull(key); + } +} diff --git a/platform-core/pom.xml b/platform-core/pom.xml index 915ae188d..f8f4799e1 100755 --- a/platform-core/pom.xml +++ b/platform-core/pom.xml @@ -14,6 +14,7 @@ platform-common platform-telemetry actor-core + auth-verifier schema-validator platform-cache cassandra-connector From 2237289bf719b8a01c986d2872bb86cf826279a9 Mon Sep 17 00:00:00 2001 From: sreeragksgh Date: Tue, 30 May 2023 13:52:10 +0530 Subject: [PATCH 12/18] Content Security search API enhancement --- .../java/org/sunbird/actors/SearchActor.java | 9 +- .../org/sunbird/search/dto/SearchDTO.java | 4 +- .../search/processor/SearchProcessor.java | 373 ++++++++++-------- .../controllers/SearchBaseController.scala | 2 +- .../app/controllers/SearchController.scala | 22 -- search-api/search-service/conf/routes | 1 - 6 files changed, 210 insertions(+), 201 deletions(-) diff --git a/search-api/search-actors/src/main/java/org/sunbird/actors/SearchActor.java b/search-api/search-actors/src/main/java/org/sunbird/actors/SearchActor.java index bc3a29c60..136b52454 100644 --- a/search-api/search-actors/src/main/java/org/sunbird/actors/SearchActor.java +++ b/search-api/search-actors/src/main/java/org/sunbird/actors/SearchActor.java @@ -95,9 +95,12 @@ private SearchDTO getSearchDTO(Request request) throws Exception { SearchDTO searchObj = new SearchDTO(); try { Map req = request.getRequest(); - String secureContentFlag = (String) req.get(SearchConstants.secureSettings); - if ("true".equalsIgnoreCase((String) req.get(SearchConstants.secureSettings))) - searchObj.setSecureSettings(true); + if (req.get("secureSettings") != null) { + searchObj.setSecureSettings((Boolean) req.get("secureSettings")); + } else { + searchObj.setSecureSettings(false); + } + searchObj.setUserOrgId((String) request.getContext().get("x-user-channel-id")); TelemetryManager.log("Search Request: ", req); String queryString = (String) req.get(SearchConstants.query); int limit = getIntValue(req.get(SearchConstants.limit)); diff --git a/search-api/search-core/src/main/java/org/sunbird/search/dto/SearchDTO.java b/search-api/search-core/src/main/java/org/sunbird/search/dto/SearchDTO.java index baa0ca3fe..328d45212 100644 --- a/search-api/search-core/src/main/java/org/sunbird/search/dto/SearchDTO.java +++ b/search-api/search-core/src/main/java/org/sunbird/search/dto/SearchDTO.java @@ -17,6 +17,7 @@ public class SearchDTO { private int offset; boolean fuzzySearch = false; boolean secureSettings = false; + String userOrgId = ""; private Map additionalProperties = new HashMap(); private Map softConstraints = new HashMap(); private List> aggregations = new ArrayList<>(); @@ -66,7 +67,6 @@ public Map getSortBy() { public void setSortBy(Map sortBy) { this.sortBy = sortBy; } - public boolean isFuzzySearch() { return fuzzySearch; } @@ -79,6 +79,8 @@ public boolean isSecureSettings() { public void setSecureSettings(boolean secureSettings) { this.secureSettings = secureSettings; } + public String getUserOrgId() {return userOrgId;} + public void setUserOrgId(String userOrgId) {this.userOrgId = userOrgId;} public Map getAdditionalProperties() { return additionalProperties; } diff --git a/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java b/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java index 65cf0d503..7458ed863 100644 --- a/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java +++ b/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java @@ -44,7 +44,7 @@ public SearchProcessor() { ElasticSearchUtil.initialiseESClient(SearchConstants.COMPOSITE_SEARCH_INDEX, Platform.config.getString("search.es_conn_info")); } - + public SearchProcessor(String indexName) { } @@ -55,7 +55,7 @@ public Future> processSearch(SearchDTO searchDTO, boolean in SearchSourceBuilder query = processSearchQuery(searchDTO, groupByFinalList, true); Future searchResponse = null; boolean enableFuzzyWhenNoResults = Platform.config.hasPath("search.fields.enable.fuzzy.when.noresult") && - Platform.config.getBoolean("search.fields.enable.fuzzy.when.noresult"); + Platform.config.getBoolean("search.fields.enable.fuzzy.when.noresult"); if (enableFuzzyWhenNoResults) { //Let's call with Default fuzzy value given in request int exactMatchCount = ElasticSearchUtil.count(SearchConstants.COMPOSITE_SEARCH_INDEX, query); @@ -113,7 +113,7 @@ public Map processCount(SearchDTO searchDTO) throws Exception { /** * Returns the list of words which are synonyms of the synsetIds passed in the * request - * + * * @param synsetIds * @return * @throws Exception @@ -178,7 +178,7 @@ public Map multiWordDocSearch(List synsetIds) throws Exc /** * Returns list of synsetsIds which has valid documents in composite index - * + * * @param synsetIds * @return * @throws Exception @@ -217,7 +217,7 @@ public void destroy() { * @return */ private SearchSourceBuilder processSearchQuery(SearchDTO searchDTO, List> groupByFinalList, - boolean sortBy) { + boolean sortBy) { SearchSourceBuilder searchSourceBuilder = new SearchSourceBuilder(); List fields = searchDTO.getFields(); @@ -274,7 +274,7 @@ private SearchSourceBuilder processSearchQuery(SearchDTO searchDTO, List> groupByList, - SearchSourceBuilder searchSourceBuilder) { + SearchSourceBuilder searchSourceBuilder) { TermsAggregationBuilder termBuilder = null; if (groupByList != null && !groupByList.isEmpty()) { HashMap> nestedAggregation = new HashMap<>(); @@ -282,17 +282,17 @@ private void setAggregations(List> groupByList, String groupByParent = (String) groupByMap.get("groupByParent"); if (!groupByParent.contains(".")) { termBuilder = AggregationBuilders.terms(groupByParent) - .field(groupByParent + SearchConstants.RAW_FIELD_EXTENSION) - .size(ElasticSearchUtil.defaultResultLimit); - List groupByChildList = (List) groupByMap.get("groupByChildList"); - if (groupByChildList != null && !groupByChildList.isEmpty()) { - for (String childGroupBy : groupByChildList) { - termBuilder.subAggregation(AggregationBuilders.terms(childGroupBy) - .field(childGroupBy + SearchConstants.RAW_FIELD_EXTENSION) - .size(ElasticSearchUtil.defaultResultLimit)); + .field(groupByParent + SearchConstants.RAW_FIELD_EXTENSION) + .size(ElasticSearchUtil.defaultResultLimit); + List groupByChildList = (List) groupByMap.get("groupByChildList"); + if (groupByChildList != null && !groupByChildList.isEmpty()) { + for (String childGroupBy : groupByChildList) { + termBuilder.subAggregation(AggregationBuilders.terms(childGroupBy) + .field(childGroupBy + SearchConstants.RAW_FIELD_EXTENSION) + .size(ElasticSearchUtil.defaultResultLimit)); + } } - } - searchSourceBuilder.aggregation(termBuilder); + searchSourceBuilder.aggregation(termBuilder); } else { if (nestedAggregation.get(groupByParent.split("\\.")[0]) != null) { nestedAggregation.get(groupByParent.split("\\.")[0]).add(groupByParent.split("\\.")[1]); @@ -328,9 +328,16 @@ private QueryBuilder prepareSearchQuery(SearchDTO searchDTO) { QueryBuilder queryBuilder = null; String totalOperation = searchDTO.getOperation(); List properties = searchDTO.getProperties(); - formQuery(properties, queryBuilder, boolQuery, totalOperation, searchDTO.isFuzzySearch()); - if(searchDTO.getMultiFilterProperties() != null) { - formQuery(searchDTO.getMultiFilterProperties(), queryBuilder, boolQuery, SearchConstants.SEARCH_OPERATION_OR, searchDTO.isFuzzySearch()); + if (searchDTO.isSecureSettings() == false) + formQuery(properties, queryBuilder, boolQuery, totalOperation, searchDTO.isFuzzySearch()); + else + formQueryUpdated(properties, queryBuilder, boolQuery, totalOperation, searchDTO.isFuzzySearch(), searchDTO); + if (searchDTO.getMultiFilterProperties() != null) { + if (searchDTO.isSecureSettings() == false) + formQuery(searchDTO.getMultiFilterProperties(), queryBuilder, boolQuery, SearchConstants.SEARCH_OPERATION_OR, searchDTO.isFuzzySearch()); + else { + formQueryUpdated(searchDTO.getMultiFilterProperties(), queryBuilder, boolQuery, totalOperation, searchDTO.isFuzzySearch(), searchDTO); + } } Map softConstraints = searchDTO.getSoftConstraints(); @@ -343,9 +350,12 @@ private QueryBuilder prepareSearchQuery(SearchDTO searchDTO) { } private void formQuery(List properties, QueryBuilder queryBuilder, BoolQueryBuilder boolQuery, String operation, Boolean fuzzy) { + formQueryUpdated(properties, queryBuilder, boolQuery, operation, fuzzy, null); + } + + private void formQueryUpdated(List properties, QueryBuilder queryBuilder, BoolQueryBuilder boolQuery, String operation, Boolean fuzzy, SearchDTO searchDTO) { boolean enableSecureSettings = Platform.config.hasPath("search.fields.enable.secureSettings") && Platform.config.getBoolean("search.fields.enable.secureSettings"); - for (Map property : properties) { String opertation = (String) property.get("operation"); @@ -363,8 +373,13 @@ private void formQuery(List properties, QueryBuilder queryBuilder, BoolQuer relevanceSort = true; propertyName = "all_fields"; queryBuilder = getAllFieldsPropertyQuery(values, fuzzy); - if(!enableSecureSettings) - boolQuery.mustNot(getSecureSettingsQuery()); + if (enableSecureSettings) { + if (searchDTO.isSecureSettings()) { + boolQuery.must(getSecureSettingsSearchQuery(searchDTO.getUserOrgId())); + } else { + boolQuery.mustNot(getSecureSettingsSearchDefaultQuery()); + } + } boolQuery.must(queryBuilder); continue; } @@ -372,89 +387,94 @@ private void formQuery(List properties, QueryBuilder queryBuilder, BoolQuer propertyName = propertyName + SearchConstants.RAW_FIELD_EXTENSION; switch (opertation) { - case SearchConstants.SEARCH_OPERATION_EQUAL: { - queryBuilder = getMustTermQuery(propertyName, values, true); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_NOT_EQUAL: { - queryBuilder = getMustTermQuery(propertyName, values, false); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_NOT_IN: { - queryBuilder = getNotInQuery(propertyName, values); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_ENDS_WITH: { - queryBuilder = getRegexQuery(propertyName, values); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_LIKE: - case SearchConstants.SEARCH_OPERATION_CONTAINS: { - queryBuilder = getMatchPhraseQuery(propertyName, values, true); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_NOT_LIKE: { - queryBuilder = getMatchPhraseQuery(propertyName, values, false); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_STARTS_WITH: { - queryBuilder = getMatchPhrasePrefixQuery(propertyName, values); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_EXISTS: { - queryBuilder = getExistsQuery(propertyName, values, true); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_NOT_EXISTS: { - queryBuilder = getExistsQuery(propertyName, values, false); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_GREATER_THAN: { - queryBuilder = getRangeQuery(propertyName, values, - SearchConstants.SEARCH_OPERATION_GREATER_THAN); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_GREATER_THAN_EQUALS: { - queryBuilder = getRangeQuery(propertyName, values, - SearchConstants.SEARCH_OPERATION_GREATER_THAN_EQUALS); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_LESS_THAN: { - queryBuilder = getRangeQuery(propertyName, values, SearchConstants.SEARCH_OPERATION_LESS_THAN); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_LESS_THAN_EQUALS: { - queryBuilder = getRangeQuery(propertyName, values, - SearchConstants.SEARCH_OPERATION_LESS_THAN_EQUALS); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_RANGE: { - queryBuilder = getRangeQuery(propertyName, values); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_AND: { - queryBuilder = getAndQuery(propertyName, values); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } + case SearchConstants.SEARCH_OPERATION_EQUAL: { + queryBuilder = getMustTermQuery(propertyName, values, true); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_NOT_EQUAL: { + queryBuilder = getMustTermQuery(propertyName, values, false); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_NOT_IN: { + queryBuilder = getNotInQuery(propertyName, values); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_ENDS_WITH: { + queryBuilder = getRegexQuery(propertyName, values); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_LIKE: + case SearchConstants.SEARCH_OPERATION_CONTAINS: { + queryBuilder = getMatchPhraseQuery(propertyName, values, true); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_NOT_LIKE: { + queryBuilder = getMatchPhraseQuery(propertyName, values, false); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_STARTS_WITH: { + queryBuilder = getMatchPhrasePrefixQuery(propertyName, values); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_EXISTS: { + queryBuilder = getExistsQuery(propertyName, values, true); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_NOT_EXISTS: { + queryBuilder = getExistsQuery(propertyName, values, false); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_GREATER_THAN: { + queryBuilder = getRangeQuery(propertyName, values, + SearchConstants.SEARCH_OPERATION_GREATER_THAN); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_GREATER_THAN_EQUALS: { + queryBuilder = getRangeQuery(propertyName, values, + SearchConstants.SEARCH_OPERATION_GREATER_THAN_EQUALS); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_LESS_THAN: { + queryBuilder = getRangeQuery(propertyName, values, SearchConstants.SEARCH_OPERATION_LESS_THAN); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_LESS_THAN_EQUALS: { + queryBuilder = getRangeQuery(propertyName, values, + SearchConstants.SEARCH_OPERATION_LESS_THAN_EQUALS); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_RANGE: { + queryBuilder = getRangeQuery(propertyName, values); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_AND: { + queryBuilder = getAndQuery(propertyName, values); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } } if (operation.equalsIgnoreCase(AND)) { - if(!enableSecureSettings) - boolQuery.mustNot(getSecureSettingsQuery()); + if (enableSecureSettings) { + if (searchDTO.isSecureSettings()) { + boolQuery.must(getSecureSettingsSearchQuery(searchDTO.getUserOrgId())); + } else { + boolQuery.mustNot(getSecureSettingsSearchDefaultQuery()); + } + } boolQuery.must(queryBuilder); } else { boolQuery.should(queryBuilder); @@ -474,8 +494,8 @@ private QueryBuilder checkNestedProperty(QueryBuilder queryBuilder, String prope private QueryBuilder getAndQuery(String propertyName, List values) { BoolQueryBuilder queryBuilder = QueryBuilders.boolQuery(); for (Object value : values) { - queryBuilder.must( - QueryBuilders.matchQuery(propertyName, value).operator(Operator.AND).fuzzyTranspositions(false)); + queryBuilder.must( + QueryBuilders.matchQuery(propertyName, value).operator(Operator.AND).fuzzyTranspositions(false)); } return queryBuilder; } @@ -525,16 +545,23 @@ private QueryBuilder getAllFieldsPropertyQuery(List values, Boolean fuzz } return queryBuilder; } - private QueryBuilder getSecureSettingsQuery() { + private QueryBuilder getSecureSettingsSearchDefaultQuery() { QueryBuilder firstNestedQuery =new NestedQueryBuilder("secureSettings", QueryBuilders.boolQuery() .mustNot(new ExistsQueryBuilder("organisation")), org.apache.lucene.search.join.ScoreMode.None); QueryBuilder secondNestedQuery= new NestedQueryBuilder("secureSettings", QueryBuilders.boolQuery() - .filter(new RangeQueryBuilder("organisation" + ".length").lte(0)) , org.apache.lucene.search.join.ScoreMode.None); + .filter(new RangeQueryBuilder("organisation" + ".length").lte(0)) , org.apache.lucene.search.join.ScoreMode.None); QueryBuilder query = QueryBuilders.boolQuery() .should(firstNestedQuery).should (secondNestedQuery); return query; } + private QueryBuilder getSecureSettingsSearchQuery(String org_id) { + + QueryBuilder query =new NestedQueryBuilder("secureSettings", + QueryBuilders.boolQuery() .must(new ExistsQueryBuilder("secureSettings.organisation")).must(QueryBuilders.termQuery("secureSettings.organisation",org_id)), org.apache.lucene.search.join.ScoreMode.None); + + return query; + } /** * @param softConstraints @@ -571,26 +598,26 @@ private QueryBuilder getRangeQuery(String propertyName, List values, Str BoolQueryBuilder queryBuilder = QueryBuilders.boolQuery(); for (Object value : values) { switch (operation) { - case SearchConstants.SEARCH_OPERATION_GREATER_THAN: { - queryBuilder.should(QueryBuilders - .rangeQuery(propertyName).gt(value)); - break; - } - case SearchConstants.SEARCH_OPERATION_GREATER_THAN_EQUALS: { - queryBuilder.should(QueryBuilders - .rangeQuery(propertyName).gte(value)); - break; - } - case SearchConstants.SEARCH_OPERATION_LESS_THAN: { - queryBuilder.should(QueryBuilders - .rangeQuery(propertyName).lt(value)); - break; - } - case SearchConstants.SEARCH_OPERATION_LESS_THAN_EQUALS: { - queryBuilder.should(QueryBuilders - .rangeQuery(propertyName).lte(value)); - break; - } + case SearchConstants.SEARCH_OPERATION_GREATER_THAN: { + queryBuilder.should(QueryBuilders + .rangeQuery(propertyName).gt(value)); + break; + } + case SearchConstants.SEARCH_OPERATION_GREATER_THAN_EQUALS: { + queryBuilder.should(QueryBuilders + .rangeQuery(propertyName).gte(value)); + break; + } + case SearchConstants.SEARCH_OPERATION_LESS_THAN: { + queryBuilder.should(QueryBuilders + .rangeQuery(propertyName).lt(value)); + break; + } + case SearchConstants.SEARCH_OPERATION_LESS_THAN_EQUALS: { + queryBuilder.should(QueryBuilders + .rangeQuery(propertyName).lte(value)); + break; + } } } @@ -712,14 +739,14 @@ private QueryBuilder getRangeQuery(String propertyName, List values) { if (!rangeMap.isEmpty()) { for (String key : rangeMap.keySet()) { switch (key) { - case SearchConstants.SEARCH_OPERATION_RANGE_GTE: { - queryBuilder.from(rangeMap.get(key)); - break; - } - case SearchConstants.SEARCH_OPERATION_RANGE_LTE: { - queryBuilder.to(rangeMap.get(key)); - break; - } + case SearchConstants.SEARCH_OPERATION_RANGE_GTE: { + queryBuilder.from(rangeMap.get(key)); + break; + } + case SearchConstants.SEARCH_OPERATION_RANGE_LTE: { + queryBuilder.to(rangeMap.get(key)); + break; + } } } } @@ -741,7 +768,7 @@ public Future> processSearchQuery(SearchDTO searchDTO, boolean incl } public Future> processSearchQuery(SearchDTO searchDTO, boolean includeResults, String index, - boolean sort) + boolean sort) throws Exception { List> groupByFinalList = new ArrayList>(); if (searchDTO.getLimit() == 0) @@ -749,7 +776,7 @@ public Future> processSearchQuery(SearchDTO searchDTO, boolean incl SearchSourceBuilder query = processSearchQuery(searchDTO, groupByFinalList, sort); TelemetryManager.log(" search query: " + query); Future searchResponse = ElasticSearchUtil.search(index, query); - + return searchResponse.map(new Mapper>() { public List apply(SearchResponse searchResult) { List response = new ArrayList(); @@ -763,12 +790,12 @@ public List apply(SearchResponse searchResult) { return response; } }, ExecutionContext.Implicits$.MODULE$.global()); - + } public Future processSearchQueryWithSearchResult(SearchDTO searchDTO, boolean includeResults, - String index, - boolean sort) throws Exception { + String index, + boolean sort) throws Exception { List> groupByFinalList = new ArrayList>(); if (searchDTO.getLimit() == 0) searchDTO.setLimit(ElasticSearchUtil.defaultResultLimit); @@ -793,48 +820,48 @@ private void setAggregations(SearchSourceBuilder searchSourceBuilder, List aggregate, int level) { - TermsAggregationBuilder termBuilder = AggregationBuilders.terms((String)aggregate.get("l" + level)) - .field(aggregate.get("l" + level) + SearchConstants.RAW_FIELD_EXTENSION) - .size(ElasticSearchUtil.defaultResultLimit); + TermsAggregationBuilder termBuilder = AggregationBuilders.terms((String)aggregate.get("l" + level)) + .field(aggregate.get("l" + level) + SearchConstants.RAW_FIELD_EXTENSION) + .size(ElasticSearchUtil.defaultResultLimit); if(level == aggregate.keySet().size()){ return termBuilder; }else { - level += 1; + level += 1; return termBuilder.subAggregation(getNextLevelAggregation(aggregate, level)); } } - private List> aggregateResult(Aggregations aggregations) { - List> aggregationList = new ArrayList<>(); - if(null != aggregations){ - Map aggregationMap = aggregations.getAsMap(); - for(String key: aggregationMap.keySet()){ - Terms terms = (Terms) aggregationMap.get(key); - List buckets = (List) terms.getBuckets(); - List> values = new ArrayList<>(); - if(CollectionUtils.isNotEmpty(buckets)) { - for(Terms.Bucket bucket: buckets) { - Map termBucket = new HashMap() {{ - put("count", bucket.getDocCount()); - put("name", bucket.getKey()); - List> subAggregations = aggregateResult(bucket.getAggregations()); - if(CollectionUtils.isNotEmpty(subAggregations)) - put("aggregations", subAggregations); - }}; - values.add(termBucket); - } - aggregationList.add(new HashMap(){{ - put("values", values); - put("name", key); - }}); - } - } - - } - return aggregationList; - } + private List> aggregateResult(Aggregations aggregations) { + List> aggregationList = new ArrayList<>(); + if(null != aggregations){ + Map aggregationMap = aggregations.getAsMap(); + for(String key: aggregationMap.keySet()){ + Terms terms = (Terms) aggregationMap.get(key); + List buckets = (List) terms.getBuckets(); + List> values = new ArrayList<>(); + if(CollectionUtils.isNotEmpty(buckets)) { + for(Terms.Bucket bucket: buckets) { + Map termBucket = new HashMap() {{ + put("count", bucket.getDocCount()); + put("name", bucket.getKey()); + List> subAggregations = aggregateResult(bucket.getAggregations()); + if(CollectionUtils.isNotEmpty(subAggregations)) + put("aggregations", subAggregations); + }}; + values.add(termBucket); + } + aggregationList.add(new HashMap(){{ + put("values", values); + put("name", key); + }}); + } + } + + } + return aggregationList; + } private QueryBuilder getSearchQuery(SearchDTO searchDTO) { BoolQueryBuilder boolQuery = new BoolQueryBuilder(); diff --git a/search-api/search-service/app/controllers/SearchBaseController.scala b/search-api/search-service/app/controllers/SearchBaseController.scala index ab8f8b966..5938c93ac 100644 --- a/search-api/search-service/app/controllers/SearchBaseController.scala +++ b/search-api/search-service/app/controllers/SearchBaseController.scala @@ -25,7 +25,7 @@ abstract class SearchBaseController(protected val cc: ControllerComponents)(impl } def commonHeaders()(implicit request: Request[AnyContent]): java.util.Map[String, Object] = { - val customHeaders = Map("x-authenticated-user-channel-id" -> "x-user-channel-id","x-channel-id" -> "CHANNEL_ID", "x-consumer-id" -> "CONSUMER_ID", "x-app-id" -> "APP_ID", "x-session-id" -> "SESSION_ID", "x-device-id" -> "DEVICE_ID") + val customHeaders = Map("x-authenticated-user-orgid" -> "x-user-channel-id","x-channel-id" -> "CHANNEL_ID", "x-consumer-id" -> "CONSUMER_ID", "x-app-id" -> "APP_ID", "x-session-id" -> "SESSION_ID", "x-device-id" -> "DEVICE_ID") val headers = request.headers.headers.groupBy(_._1).mapValues(_.map(_._2)) val appHeaders = headers.filter(header => customHeaders.keySet.contains(header._1.toLowerCase)) .map(entry => (customHeaders.get(entry._1.toLowerCase()).get, entry._2.head)) diff --git a/search-api/search-service/app/controllers/SearchController.scala b/search-api/search-service/app/controllers/SearchController.scala index 3c61ad660..e76bcc5e3 100644 --- a/search-api/search-service/app/controllers/SearchController.scala +++ b/search-api/search-service/app/controllers/SearchController.scala @@ -37,28 +37,6 @@ class SearchController @Inject()(@Named(ActorNames.SEARCH_ACTOR) searchActor: Ac } } - def secureContentSearch() = loggingAction.async { implicit request => - val internalReq = getRequest(ApiId.APPLICATION_SEARCH) - setHeaderContext(internalReq) - val filters = internalReq.getRequest.getOrDefault(SearchConstants.filters, new java.util.HashMap()).asInstanceOf[java.util.Map[String, Object]] - val visibilityObject = filters.getOrDefault("visibility", "") - var visibility: util.List[String] = null - internalReq.put(SearchConstants.secureSettings, "true"); - if (visibilityObject != null) { - if (visibilityObject.isInstanceOf[util.ArrayList[_]]) - visibility = visibilityObject.asInstanceOf[util.ArrayList[String]] - else if (visibilityObject.isInstanceOf[String]) - visibility = util.Arrays.asList(visibilityObject.asInstanceOf[String]) - } - if (visibility.contains("Private")) { - getErrorResponse(ApiId.APPLICATION_SEARCH, apiVersion, SearchConstants.ERR_ACCESS_DENIED, "Cannot access private content through public search api") - } - else { - internalReq.getContext.put(SearchConstants.setDefaultVisibility, "true") - getResult(mgr.search(internalReq, searchActor), ApiId.APPLICATION_SEARCH) - } - } - def privateSearch() = loggingAction.async { implicit request => val internalReq = getRequest(ApiId.APPLICATION_PRIVATE_SEARCH) setHeaderContext(internalReq) diff --git a/search-api/search-service/conf/routes b/search-api/search-service/conf/routes index 35422ed06..44e6c9ad5 100644 --- a/search-api/search-service/conf/routes +++ b/search-api/search-service/conf/routes @@ -6,7 +6,6 @@ GET /service/health controllers.HealthController.serviceHealth() #POST /v2/search controllers.SearchController.search() POST /v3/search controllers.SearchController.search() -POST /v3/secureContentSearch controllers.SearchController.secureContentSearch() POST /v3/private/search controllers.SearchController.privateSearch() POST /v2/search/count controllers.SearchController.count() POST /v3/count controllers.SearchController.count() From 7a1e8264475f4bfa79b00cfadd7558c32d815087 Mon Sep 17 00:00:00 2001 From: sreeragksgh Date: Tue, 30 May 2023 14:00:47 +0530 Subject: [PATCH 13/18] Modifications --- .../search/processor/SearchProcessor.java | 326 +++++++++--------- 1 file changed, 163 insertions(+), 163 deletions(-) diff --git a/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java b/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java index 7458ed863..c61e99cfd 100644 --- a/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java +++ b/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java @@ -55,7 +55,7 @@ public Future> processSearch(SearchDTO searchDTO, boolean in SearchSourceBuilder query = processSearchQuery(searchDTO, groupByFinalList, true); Future searchResponse = null; boolean enableFuzzyWhenNoResults = Platform.config.hasPath("search.fields.enable.fuzzy.when.noresult") && - Platform.config.getBoolean("search.fields.enable.fuzzy.when.noresult"); + Platform.config.getBoolean("search.fields.enable.fuzzy.when.noresult"); if (enableFuzzyWhenNoResults) { //Let's call with Default fuzzy value given in request int exactMatchCount = ElasticSearchUtil.count(SearchConstants.COMPOSITE_SEARCH_INDEX, query); @@ -217,7 +217,7 @@ public void destroy() { * @return */ private SearchSourceBuilder processSearchQuery(SearchDTO searchDTO, List> groupByFinalList, - boolean sortBy) { + boolean sortBy) { SearchSourceBuilder searchSourceBuilder = new SearchSourceBuilder(); List fields = searchDTO.getFields(); @@ -274,7 +274,7 @@ private SearchSourceBuilder processSearchQuery(SearchDTO searchDTO, List> groupByList, - SearchSourceBuilder searchSourceBuilder) { + SearchSourceBuilder searchSourceBuilder) { TermsAggregationBuilder termBuilder = null; if (groupByList != null && !groupByList.isEmpty()) { HashMap> nestedAggregation = new HashMap<>(); @@ -282,17 +282,17 @@ private void setAggregations(List> groupByList, String groupByParent = (String) groupByMap.get("groupByParent"); if (!groupByParent.contains(".")) { termBuilder = AggregationBuilders.terms(groupByParent) - .field(groupByParent + SearchConstants.RAW_FIELD_EXTENSION) - .size(ElasticSearchUtil.defaultResultLimit); - List groupByChildList = (List) groupByMap.get("groupByChildList"); - if (groupByChildList != null && !groupByChildList.isEmpty()) { - for (String childGroupBy : groupByChildList) { - termBuilder.subAggregation(AggregationBuilders.terms(childGroupBy) - .field(childGroupBy + SearchConstants.RAW_FIELD_EXTENSION) - .size(ElasticSearchUtil.defaultResultLimit)); - } + .field(groupByParent + SearchConstants.RAW_FIELD_EXTENSION) + .size(ElasticSearchUtil.defaultResultLimit); + List groupByChildList = (List) groupByMap.get("groupByChildList"); + if (groupByChildList != null && !groupByChildList.isEmpty()) { + for (String childGroupBy : groupByChildList) { + termBuilder.subAggregation(AggregationBuilders.terms(childGroupBy) + .field(childGroupBy + SearchConstants.RAW_FIELD_EXTENSION) + .size(ElasticSearchUtil.defaultResultLimit)); } - searchSourceBuilder.aggregation(termBuilder); + } + searchSourceBuilder.aggregation(termBuilder); } else { if (nestedAggregation.get(groupByParent.split("\\.")[0]) != null) { nestedAggregation.get(groupByParent.split("\\.")[0]).add(groupByParent.split("\\.")[1]); @@ -339,7 +339,6 @@ private QueryBuilder prepareSearchQuery(SearchDTO searchDTO) { formQueryUpdated(searchDTO.getMultiFilterProperties(), queryBuilder, boolQuery, totalOperation, searchDTO.isFuzzySearch(), searchDTO); } } - Map softConstraints = searchDTO.getSoftConstraints(); if (null != softConstraints && !softConstraints.isEmpty()) { boolQuery.should(getSoftConstraintQuery(softConstraints)); @@ -356,6 +355,7 @@ private void formQuery(List properties, QueryBuilder queryBuilder, BoolQuer private void formQueryUpdated(List properties, QueryBuilder queryBuilder, BoolQueryBuilder boolQuery, String operation, Boolean fuzzy, SearchDTO searchDTO) { boolean enableSecureSettings = Platform.config.hasPath("search.fields.enable.secureSettings") && Platform.config.getBoolean("search.fields.enable.secureSettings"); + for (Map property : properties) { String opertation = (String) property.get("operation"); @@ -387,85 +387,85 @@ private void formQueryUpdated(List properties, QueryBuilder queryBuilder, B propertyName = propertyName + SearchConstants.RAW_FIELD_EXTENSION; switch (opertation) { - case SearchConstants.SEARCH_OPERATION_EQUAL: { - queryBuilder = getMustTermQuery(propertyName, values, true); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_NOT_EQUAL: { - queryBuilder = getMustTermQuery(propertyName, values, false); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_NOT_IN: { - queryBuilder = getNotInQuery(propertyName, values); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_ENDS_WITH: { - queryBuilder = getRegexQuery(propertyName, values); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_LIKE: - case SearchConstants.SEARCH_OPERATION_CONTAINS: { - queryBuilder = getMatchPhraseQuery(propertyName, values, true); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_NOT_LIKE: { - queryBuilder = getMatchPhraseQuery(propertyName, values, false); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_STARTS_WITH: { - queryBuilder = getMatchPhrasePrefixQuery(propertyName, values); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_EXISTS: { - queryBuilder = getExistsQuery(propertyName, values, true); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_NOT_EXISTS: { - queryBuilder = getExistsQuery(propertyName, values, false); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_GREATER_THAN: { - queryBuilder = getRangeQuery(propertyName, values, - SearchConstants.SEARCH_OPERATION_GREATER_THAN); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_GREATER_THAN_EQUALS: { - queryBuilder = getRangeQuery(propertyName, values, - SearchConstants.SEARCH_OPERATION_GREATER_THAN_EQUALS); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_LESS_THAN: { - queryBuilder = getRangeQuery(propertyName, values, SearchConstants.SEARCH_OPERATION_LESS_THAN); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_LESS_THAN_EQUALS: { - queryBuilder = getRangeQuery(propertyName, values, - SearchConstants.SEARCH_OPERATION_LESS_THAN_EQUALS); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_RANGE: { - queryBuilder = getRangeQuery(propertyName, values); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } - case SearchConstants.SEARCH_OPERATION_AND: { - queryBuilder = getAndQuery(propertyName, values); - queryBuilder = checkNestedProperty(queryBuilder, propertyName); - break; - } + case SearchConstants.SEARCH_OPERATION_EQUAL: { + queryBuilder = getMustTermQuery(propertyName, values, true); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_NOT_EQUAL: { + queryBuilder = getMustTermQuery(propertyName, values, false); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_NOT_IN: { + queryBuilder = getNotInQuery(propertyName, values); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_ENDS_WITH: { + queryBuilder = getRegexQuery(propertyName, values); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_LIKE: + case SearchConstants.SEARCH_OPERATION_CONTAINS: { + queryBuilder = getMatchPhraseQuery(propertyName, values, true); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_NOT_LIKE: { + queryBuilder = getMatchPhraseQuery(propertyName, values, false); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_STARTS_WITH: { + queryBuilder = getMatchPhrasePrefixQuery(propertyName, values); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_EXISTS: { + queryBuilder = getExistsQuery(propertyName, values, true); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_NOT_EXISTS: { + queryBuilder = getExistsQuery(propertyName, values, false); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_GREATER_THAN: { + queryBuilder = getRangeQuery(propertyName, values, + SearchConstants.SEARCH_OPERATION_GREATER_THAN); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_GREATER_THAN_EQUALS: { + queryBuilder = getRangeQuery(propertyName, values, + SearchConstants.SEARCH_OPERATION_GREATER_THAN_EQUALS); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_LESS_THAN: { + queryBuilder = getRangeQuery(propertyName, values, SearchConstants.SEARCH_OPERATION_LESS_THAN); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_LESS_THAN_EQUALS: { + queryBuilder = getRangeQuery(propertyName, values, + SearchConstants.SEARCH_OPERATION_LESS_THAN_EQUALS); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_RANGE: { + queryBuilder = getRangeQuery(propertyName, values); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } + case SearchConstants.SEARCH_OPERATION_AND: { + queryBuilder = getAndQuery(propertyName, values); + queryBuilder = checkNestedProperty(queryBuilder, propertyName); + break; + } } if (operation.equalsIgnoreCase(AND)) { if (enableSecureSettings) { @@ -494,8 +494,8 @@ private QueryBuilder checkNestedProperty(QueryBuilder queryBuilder, String prope private QueryBuilder getAndQuery(String propertyName, List values) { BoolQueryBuilder queryBuilder = QueryBuilders.boolQuery(); for (Object value : values) { - queryBuilder.must( - QueryBuilders.matchQuery(propertyName, value).operator(Operator.AND).fuzzyTranspositions(false)); + queryBuilder.must( + QueryBuilders.matchQuery(propertyName, value).operator(Operator.AND).fuzzyTranspositions(false)); } return queryBuilder; } @@ -550,19 +550,19 @@ private QueryBuilder getSecureSettingsSearchDefaultQuery() { QueryBuilder firstNestedQuery =new NestedQueryBuilder("secureSettings", QueryBuilders.boolQuery() .mustNot(new ExistsQueryBuilder("organisation")), org.apache.lucene.search.join.ScoreMode.None); QueryBuilder secondNestedQuery= new NestedQueryBuilder("secureSettings", QueryBuilders.boolQuery() - .filter(new RangeQueryBuilder("organisation" + ".length").lte(0)) , org.apache.lucene.search.join.ScoreMode.None); + .filter(new RangeQueryBuilder("organisation" + ".length").lte(0)) , org.apache.lucene.search.join.ScoreMode.None); QueryBuilder query = QueryBuilders.boolQuery() .should(firstNestedQuery).should (secondNestedQuery); return query; } + private QueryBuilder getSecureSettingsSearchQuery(String org_id) { - QueryBuilder query =new NestedQueryBuilder("secureSettings", - QueryBuilders.boolQuery() .must(new ExistsQueryBuilder("secureSettings.organisation")).must(QueryBuilders.termQuery("secureSettings.organisation",org_id)), org.apache.lucene.search.join.ScoreMode.None); + QueryBuilder query = new NestedQueryBuilder("secureSettings", + QueryBuilders.boolQuery().must(new ExistsQueryBuilder("secureSettings.organisation")).must(QueryBuilders.termQuery("secureSettings.organisation", org_id)), org.apache.lucene.search.join.ScoreMode.None); return query; } - /** * @param softConstraints * @return @@ -598,26 +598,26 @@ private QueryBuilder getRangeQuery(String propertyName, List values, Str BoolQueryBuilder queryBuilder = QueryBuilders.boolQuery(); for (Object value : values) { switch (operation) { - case SearchConstants.SEARCH_OPERATION_GREATER_THAN: { - queryBuilder.should(QueryBuilders - .rangeQuery(propertyName).gt(value)); - break; - } - case SearchConstants.SEARCH_OPERATION_GREATER_THAN_EQUALS: { - queryBuilder.should(QueryBuilders - .rangeQuery(propertyName).gte(value)); - break; - } - case SearchConstants.SEARCH_OPERATION_LESS_THAN: { - queryBuilder.should(QueryBuilders - .rangeQuery(propertyName).lt(value)); - break; - } - case SearchConstants.SEARCH_OPERATION_LESS_THAN_EQUALS: { - queryBuilder.should(QueryBuilders - .rangeQuery(propertyName).lte(value)); - break; - } + case SearchConstants.SEARCH_OPERATION_GREATER_THAN: { + queryBuilder.should(QueryBuilders + .rangeQuery(propertyName).gt(value)); + break; + } + case SearchConstants.SEARCH_OPERATION_GREATER_THAN_EQUALS: { + queryBuilder.should(QueryBuilders + .rangeQuery(propertyName).gte(value)); + break; + } + case SearchConstants.SEARCH_OPERATION_LESS_THAN: { + queryBuilder.should(QueryBuilders + .rangeQuery(propertyName).lt(value)); + break; + } + case SearchConstants.SEARCH_OPERATION_LESS_THAN_EQUALS: { + queryBuilder.should(QueryBuilders + .rangeQuery(propertyName).lte(value)); + break; + } } } @@ -739,14 +739,14 @@ private QueryBuilder getRangeQuery(String propertyName, List values) { if (!rangeMap.isEmpty()) { for (String key : rangeMap.keySet()) { switch (key) { - case SearchConstants.SEARCH_OPERATION_RANGE_GTE: { - queryBuilder.from(rangeMap.get(key)); - break; - } - case SearchConstants.SEARCH_OPERATION_RANGE_LTE: { - queryBuilder.to(rangeMap.get(key)); - break; - } + case SearchConstants.SEARCH_OPERATION_RANGE_GTE: { + queryBuilder.from(rangeMap.get(key)); + break; + } + case SearchConstants.SEARCH_OPERATION_RANGE_LTE: { + queryBuilder.to(rangeMap.get(key)); + break; + } } } } @@ -768,7 +768,7 @@ public Future> processSearchQuery(SearchDTO searchDTO, boolean incl } public Future> processSearchQuery(SearchDTO searchDTO, boolean includeResults, String index, - boolean sort) + boolean sort) throws Exception { List> groupByFinalList = new ArrayList>(); if (searchDTO.getLimit() == 0) @@ -794,8 +794,8 @@ public List apply(SearchResponse searchResult) { } public Future processSearchQueryWithSearchResult(SearchDTO searchDTO, boolean includeResults, - String index, - boolean sort) throws Exception { + String index, + boolean sort) throws Exception { List> groupByFinalList = new ArrayList>(); if (searchDTO.getLimit() == 0) searchDTO.setLimit(ElasticSearchUtil.defaultResultLimit); @@ -820,48 +820,48 @@ private void setAggregations(SearchSourceBuilder searchSourceBuilder, List aggregate, int level) { - TermsAggregationBuilder termBuilder = AggregationBuilders.terms((String)aggregate.get("l" + level)) - .field(aggregate.get("l" + level) + SearchConstants.RAW_FIELD_EXTENSION) - .size(ElasticSearchUtil.defaultResultLimit); + TermsAggregationBuilder termBuilder = AggregationBuilders.terms((String)aggregate.get("l" + level)) + .field(aggregate.get("l" + level) + SearchConstants.RAW_FIELD_EXTENSION) + .size(ElasticSearchUtil.defaultResultLimit); if(level == aggregate.keySet().size()){ return termBuilder; }else { - level += 1; + level += 1; return termBuilder.subAggregation(getNextLevelAggregation(aggregate, level)); } } - private List> aggregateResult(Aggregations aggregations) { - List> aggregationList = new ArrayList<>(); - if(null != aggregations){ - Map aggregationMap = aggregations.getAsMap(); - for(String key: aggregationMap.keySet()){ - Terms terms = (Terms) aggregationMap.get(key); - List buckets = (List) terms.getBuckets(); - List> values = new ArrayList<>(); - if(CollectionUtils.isNotEmpty(buckets)) { - for(Terms.Bucket bucket: buckets) { - Map termBucket = new HashMap() {{ - put("count", bucket.getDocCount()); - put("name", bucket.getKey()); - List> subAggregations = aggregateResult(bucket.getAggregations()); - if(CollectionUtils.isNotEmpty(subAggregations)) - put("aggregations", subAggregations); - }}; - values.add(termBucket); - } - aggregationList.add(new HashMap(){{ - put("values", values); - put("name", key); - }}); - } - } - - } - return aggregationList; - } + private List> aggregateResult(Aggregations aggregations) { + List> aggregationList = new ArrayList<>(); + if(null != aggregations){ + Map aggregationMap = aggregations.getAsMap(); + for(String key: aggregationMap.keySet()){ + Terms terms = (Terms) aggregationMap.get(key); + List buckets = (List) terms.getBuckets(); + List> values = new ArrayList<>(); + if(CollectionUtils.isNotEmpty(buckets)) { + for(Terms.Bucket bucket: buckets) { + Map termBucket = new HashMap() {{ + put("count", bucket.getDocCount()); + put("name", bucket.getKey()); + List> subAggregations = aggregateResult(bucket.getAggregations()); + if(CollectionUtils.isNotEmpty(subAggregations)) + put("aggregations", subAggregations); + }}; + values.add(termBucket); + } + aggregationList.add(new HashMap(){{ + put("values", values); + put("name", key); + }}); + } + } + + } + return aggregationList; + } private QueryBuilder getSearchQuery(SearchDTO searchDTO) { BoolQueryBuilder boolQuery = new BoolQueryBuilder(); From 0b82f0636399563622848f7069ac9df6a7d97fbf Mon Sep 17 00:00:00 2001 From: sreeragksgh Date: Tue, 30 May 2023 16:51:48 +0530 Subject: [PATCH 14/18] Modifications on default condition --- .../search/processor/SearchProcessor.java | 22 ++++++++----------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java b/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java index c61e99cfd..4ccd67763 100644 --- a/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java +++ b/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java @@ -353,9 +353,9 @@ private void formQuery(List properties, QueryBuilder queryBuilder, BoolQuer } private void formQueryUpdated(List properties, QueryBuilder queryBuilder, BoolQueryBuilder boolQuery, String operation, Boolean fuzzy, SearchDTO searchDTO) { - boolean enableSecureSettings = Platform.config.hasPath("search.fields.enable.secureSettings") && - Platform.config.getBoolean("search.fields.enable.secureSettings"); - + boolean enableSecureSettings = false; + if (searchDTO != null) + enableSecureSettings = searchDTO.isSecureSettings(); for (Map property : properties) { String opertation = (String) property.get("operation"); @@ -374,11 +374,9 @@ private void formQueryUpdated(List properties, QueryBuilder queryBuilder, B propertyName = "all_fields"; queryBuilder = getAllFieldsPropertyQuery(values, fuzzy); if (enableSecureSettings) { - if (searchDTO.isSecureSettings()) { - boolQuery.must(getSecureSettingsSearchQuery(searchDTO.getUserOrgId())); - } else { - boolQuery.mustNot(getSecureSettingsSearchDefaultQuery()); - } + boolQuery.must(getSecureSettingsSearchQuery(searchDTO.getUserOrgId())); + } else { + boolQuery.mustNot(getSecureSettingsSearchDefaultQuery()); } boolQuery.must(queryBuilder); continue; @@ -469,11 +467,9 @@ private void formQueryUpdated(List properties, QueryBuilder queryBuilder, B } if (operation.equalsIgnoreCase(AND)) { if (enableSecureSettings) { - if (searchDTO.isSecureSettings()) { - boolQuery.must(getSecureSettingsSearchQuery(searchDTO.getUserOrgId())); - } else { - boolQuery.mustNot(getSecureSettingsSearchDefaultQuery()); - } + boolQuery.must(getSecureSettingsSearchQuery(searchDTO.getUserOrgId())); + } else { + boolQuery.mustNot(getSecureSettingsSearchDefaultQuery()); } boolQuery.must(queryBuilder); } else { From 4f49ecfedb71bcb2e57d403de3be276018d0f752 Mon Sep 17 00:00:00 2001 From: sreeragksgh Date: Tue, 30 May 2023 17:59:42 +0530 Subject: [PATCH 15/18] method name change to formQueryImpl --- .../org/sunbird/search/processor/SearchProcessor.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java b/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java index 4ccd67763..58a734a5a 100644 --- a/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java +++ b/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java @@ -331,12 +331,12 @@ private QueryBuilder prepareSearchQuery(SearchDTO searchDTO) { if (searchDTO.isSecureSettings() == false) formQuery(properties, queryBuilder, boolQuery, totalOperation, searchDTO.isFuzzySearch()); else - formQueryUpdated(properties, queryBuilder, boolQuery, totalOperation, searchDTO.isFuzzySearch(), searchDTO); + formQueryImpl(properties, queryBuilder, boolQuery, totalOperation, searchDTO.isFuzzySearch(), searchDTO); if (searchDTO.getMultiFilterProperties() != null) { if (searchDTO.isSecureSettings() == false) formQuery(searchDTO.getMultiFilterProperties(), queryBuilder, boolQuery, SearchConstants.SEARCH_OPERATION_OR, searchDTO.isFuzzySearch()); else { - formQueryUpdated(searchDTO.getMultiFilterProperties(), queryBuilder, boolQuery, totalOperation, searchDTO.isFuzzySearch(), searchDTO); + formQueryImpl(searchDTO.getMultiFilterProperties(), queryBuilder, boolQuery, totalOperation, searchDTO.isFuzzySearch(), searchDTO); } } Map softConstraints = searchDTO.getSoftConstraints(); @@ -349,10 +349,10 @@ private QueryBuilder prepareSearchQuery(SearchDTO searchDTO) { } private void formQuery(List properties, QueryBuilder queryBuilder, BoolQueryBuilder boolQuery, String operation, Boolean fuzzy) { - formQueryUpdated(properties, queryBuilder, boolQuery, operation, fuzzy, null); + formQueryImpl(properties, queryBuilder, boolQuery, operation, fuzzy, null); } - private void formQueryUpdated(List properties, QueryBuilder queryBuilder, BoolQueryBuilder boolQuery, String operation, Boolean fuzzy, SearchDTO searchDTO) { + private void formQueryImpl(List properties, QueryBuilder queryBuilder, BoolQueryBuilder boolQuery, String operation, Boolean fuzzy, SearchDTO searchDTO) { boolean enableSecureSettings = false; if (searchDTO != null) enableSecureSettings = searchDTO.isSecureSettings(); From 707a34acea3ce9f6888042c01d709028d5514625 Mon Sep 17 00:00:00 2001 From: karthik-tarento Date: Tue, 30 May 2023 18:44:29 +0530 Subject: [PATCH 16/18] Enhanced code to read private key from config --- .../sunbird/managers/HierarchyManager.scala | 2 +- .../org/sunbird/auth/verifier/JWTUtil.java | 18 ++++++++++++++++++ .../org/sunbird/auth/verifier/KeyManager.java | 4 ++-- 3 files changed, 21 insertions(+), 3 deletions(-) diff --git a/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala b/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala index 7cdc626dd..2a03d47cb 100644 --- a/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala +++ b/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala @@ -758,7 +758,7 @@ object HierarchyManager { var csToken = ""; var claimsMap : util.Map[String, AnyRef] = new util.HashMap[String, AnyRef] claimsMap.put("contentIdentifier", children) - csToken = JWTUtil.createRS256Token(claimsMap) + csToken = JWTUtil.createRS256Token(claimsMap, true) csToken } } diff --git a/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/JWTUtil.java b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/JWTUtil.java index 788358a63..dd86dd8c6 100644 --- a/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/JWTUtil.java +++ b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/JWTUtil.java @@ -1,6 +1,7 @@ package org.sunbird.auth.verifier; import org.sunbird.common.JsonUtils; +import org.sunbird.common.Platform; import org.sunbird.telemetry.logger.TelemetryManager; import java.util.HashMap; @@ -9,6 +10,9 @@ public class JWTUtil { private static String SEPARATOR = "."; + public static String JWT_SECRET_STRING = Platform.config.hasPath("content.security.jwt.secret") ? + Platform.config.getString("content.security.jwt.secret"): "sunbird"; + public static String createRS256Token(Map claimsMap) { String token = ""; JWTokenType tokenType = JWTokenType.RS256; @@ -28,6 +32,20 @@ public static String createRS256Token(Map claimsMap) { return token; } + public static String createRS256Token(Map claimsMap, boolean useSecret) { + String token = ""; + JWTokenType tokenType = JWTokenType.RS256; + try { + Map headerOptions = new HashMap(); + String payLoad = createHeader(tokenType, headerOptions) + SEPARATOR + createClaimsMap(claimsMap); + String signature = encodeToBase64Uri(CryptoUtil.generateRSASign(payLoad, KeyManager.loadPrivateKey(JWT_SECRET_STRING), tokenType.getAlgorithmName())); + token = payLoad + SEPARATOR + signature; + } catch (Exception e) { + TelemetryManager.error("JWTUtil.createRS256Token :: Failed to create RS256 token. Exception: ", e); + } + return token; + } + private static String createHeader(JWTokenType tokenType, Map headerOptions) throws Exception { Map headerData = new HashMap<>(); if (headerOptions != null) diff --git a/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/KeyManager.java b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/KeyManager.java index 61eac0da5..a55ccb4ab 100644 --- a/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/KeyManager.java +++ b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/KeyManager.java @@ -80,13 +80,13 @@ public static PublicKey loadPublicKey(String key) throws Exception { return kf.generatePublic(X509publicKey); } - private static PrivateKey loadPrivateKey(String key) throws Exception { + public static PrivateKey loadPrivateKey(String key) throws Exception { String privateKey = new String(key.getBytes(), StandardCharsets.UTF_8); privateKey = privateKey.replaceAll("(-+BEGIN RSA PRIVATE KEY-+)", ""); privateKey = privateKey.replaceAll("(-+END RSA PRIVATE KEY-+)", ""); privateKey = privateKey.replaceAll("(-+BEGIN PRIVATE KEY-+)", ""); privateKey = privateKey.replaceAll("(-+END PRIVATE KEY-+)", ""); - publicKey = publicKey.replaceAll("[\\r\\n]+", ""); + privateKey = privateKey.replaceAll("[\\r\\n]+", ""); byte[] keyBytes = Base64Util.decode(privateKey.getBytes("UTF-8"), Base64Util.DEFAULT); // generate private key From db937ddcc1427fb55c5a30000d9c1db7902b781d Mon Sep 17 00:00:00 2001 From: karthik-tarento Date: Tue, 30 May 2023 19:54:31 +0530 Subject: [PATCH 17/18] Using HS256 algorithm to generate token --- .../sunbird/managers/HierarchyManager.scala | 2 +- .../org/sunbird/auth/verifier/CryptoUtil.java | 18 +++++++++ .../org/sunbird/auth/verifier/JWTUtil.java | 39 ++++++++++--------- 3 files changed, 40 insertions(+), 19 deletions(-) diff --git a/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala b/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala index 2a03d47cb..1019d0fc4 100644 --- a/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala +++ b/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala @@ -758,7 +758,7 @@ object HierarchyManager { var csToken = ""; var claimsMap : util.Map[String, AnyRef] = new util.HashMap[String, AnyRef] claimsMap.put("contentIdentifier", children) - csToken = JWTUtil.createRS256Token(claimsMap, true) + csToken = JWTUtil.createHS256Token(claimsMap) csToken } } diff --git a/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/CryptoUtil.java b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/CryptoUtil.java index a961f91b2..2f83d55b6 100644 --- a/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/CryptoUtil.java +++ b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/CryptoUtil.java @@ -2,6 +2,10 @@ import java.nio.charset.Charset; import java.security.*; + +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; + import org.sunbird.telemetry.logger.TelemetryManager; @@ -24,6 +28,20 @@ public static boolean verifyRSASign(String payLoad, byte[] signature, PublicKey } } + public static byte[] generateHMAC(String payLoad, String secretKey, String algorithm) { + Mac mac; + byte[] signature; + try { + mac = Mac.getInstance(algorithm); + mac.init(new SecretKeySpec(secretKey.getBytes(), algorithm)); + signature = mac.doFinal(payLoad.getBytes(US_ASCII)); + } catch (NoSuchAlgorithmException | InvalidKeyException e) { + TelemetryManager.error("CryptoUtil:generateHMAC :: failed to generate signature. Exception: ", e); + return null; + } + return signature; + } + public static byte[] generateRSASign(String payLoad, PrivateKey key, String algorithm) { Signature sign; byte[] signature; diff --git a/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/JWTUtil.java b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/JWTUtil.java index dd86dd8c6..b382ae3d3 100644 --- a/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/JWTUtil.java +++ b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/JWTUtil.java @@ -13,15 +13,31 @@ public class JWTUtil { public static String JWT_SECRET_STRING = Platform.config.hasPath("content.security.jwt.secret") ? Platform.config.getString("content.security.jwt.secret"): "sunbird"; + public static String createHS256Token(Map claimsMap) { + String token = ""; + JWTokenType tokenType = JWTokenType.HS256; + try { + Map headerOptions = new HashMap(); + String payLoad = createHeader(tokenType, headerOptions) + SEPARATOR + createClaimsMap(claimsMap); + String signature = encodeToBase64Uri( + CryptoUtil.generateHMAC(payLoad, JWT_SECRET_STRING, tokenType.getAlgorithmName())); + token = payLoad + SEPARATOR + signature; + } catch (Exception e) { + TelemetryManager.error("JWTUtil.createHS256Token :: Failed to create RS256 token. Exception: ", e); + } + return token; + } + public static String createRS256Token(Map claimsMap) { String token = ""; JWTokenType tokenType = JWTokenType.RS256; try { KeyData keyData = KeyManager.getRandomKey(); - if(keyData != null) { + if (keyData != null) { Map headerOptions = createHeaderOptions(keyData.getKeyId()); String payLoad = createHeader(tokenType, headerOptions) + SEPARATOR + createClaimsMap(claimsMap); - String signature = encodeToBase64Uri(CryptoUtil.generateRSASign(payLoad, keyData.getPrivateKey(), tokenType.getAlgorithmName())); + String signature = encodeToBase64Uri( + CryptoUtil.generateRSASign(payLoad, keyData.getPrivateKey(), tokenType.getAlgorithmName())); token = payLoad + SEPARATOR + signature; } else { TelemetryManager.error("JWTUtil.createRS256Token :: KeyManager is not initialized properly."); @@ -32,25 +48,12 @@ public static String createRS256Token(Map claimsMap) { return token; } - public static String createRS256Token(Map claimsMap, boolean useSecret) { - String token = ""; - JWTokenType tokenType = JWTokenType.RS256; - try { - Map headerOptions = new HashMap(); - String payLoad = createHeader(tokenType, headerOptions) + SEPARATOR + createClaimsMap(claimsMap); - String signature = encodeToBase64Uri(CryptoUtil.generateRSASign(payLoad, KeyManager.loadPrivateKey(JWT_SECRET_STRING), tokenType.getAlgorithmName())); - token = payLoad + SEPARATOR + signature; - } catch (Exception e) { - TelemetryManager.error("JWTUtil.createRS256Token :: Failed to create RS256 token. Exception: ", e); - } - return token; - } - private static String createHeader(JWTokenType tokenType, Map headerOptions) throws Exception { Map headerData = new HashMap<>(); if (headerOptions != null) headerData.putAll(headerOptions); headerData.put("alg", tokenType.getTokenType()); + headerData.put("typ", "JWT"); return encodeToBase64Uri(JsonUtils.serialize(headerData).getBytes()); } @@ -58,11 +61,11 @@ private static Map createHeaderOptions(String keyId) { Map headers = new HashMap<>(); headers.put("kid", keyId); return headers; - } + } private static String createClaimsMap(Map claimsMap) throws Exception { Map payloadData = new HashMap<>(); - if(claimsMap != null && claimsMap.size() > 0) { + if (claimsMap != null && claimsMap.size() > 0) { payloadData.putAll(claimsMap); } return encodeToBase64Uri(JsonUtils.serialize(payloadData).getBytes()); From eb8884bd7bf606383fd03132014e666ecd004d8d Mon Sep 17 00:00:00 2001 From: karthik-tarento Date: Tue, 30 May 2023 19:59:39 +0530 Subject: [PATCH 18/18] Added version details in parent pom file --- pom.xml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pom.xml b/pom.xml index f3f14193a..f3b94a318 100644 --- a/pom.xml +++ b/pom.xml @@ -16,6 +16,9 @@ 2.11.12 3.0.8 2.9.8 + 2.22.0 + 2.0.7 + 2.0.0-beta.5 platform-core