update SessionData and SessionMaterials, add JwtClaims

Author: fupelaqu

build.sbt

@@ -8,7 +8,7 @@ ThisBuild / organization := "app.softnetwork"
 
 name := "generic-persistence-api"
 
-ThisBuild / version := "0.5.1"
+ThisBuild / version := "0.6.0"
 
 ThisBuild / scalaVersion := "2.12.18"
 

session/common/src/main/protobuf/session.proto

@@ -1,6 +1,7 @@
 syntax = "proto3";
 
 import "scalapb/scalapb.proto";
+import "google/protobuf/wrappers.proto";
 
 package org.softnetwork.session.model;
 
@@ -25,4 +26,25 @@ message Session {
     option (scalapb.message).companion_extends = "SessionCompanion";
     map<string, string> data = 1 [(scalapb.field).map_type="collection.immutable.Map", (scalapb.field).scala_name = "kvs"];
     bool refreshable = 2;
-}
+}
+
+message JwtClaims {
+    option (scalapb.message).extends = "SessionData";
+    option (scalapb.message).extends = "JwtClaimsDecorator";
+    option (scalapb.message).companion_extends = "JwtClaimsCompanion";
+    map<string, string> data = 1 [(scalapb.field).map_type="collection.immutable.Map", (scalapb.field).scala_name = "additionalClaims"];
+    bool refreshable = 2;
+    google.protobuf.StringValue iss = 3;
+    google.protobuf.StringValue sub = 4;
+    google.protobuf.StringValue aud = 5;
+    google.protobuf.Int64Value exp = 6;
+    google.protobuf.Int64Value nbf = 7;
+    google.protobuf.Int64Value iat = 8;
+    google.protobuf.StringValue jti = 9;
+}
+
+message ApiKey {
+    option (scalapb.message).extends = "ProtobufDomainObject";
+    string clientId = 1;
+    google.protobuf.StringValue clientSecret = 2;
+}

session/common/src/main/scala/app/softnetwork/session/model/BasicSessionSerializer.scala

@@ -0,0 +1,58 @@
+package app.softnetwork.session.model
+
+import app.softnetwork.session.security.Crypto
+import com.softwaremill.session.SessionSerializer
+
+import scala.language.reflectiveCalls
+import scala.util.Try
+
+class BasicSessionSerializer[T <: SessionData](val serverSecret: String)(implicit
+  companion: SessionDataCompanion[T]
+) extends SessionSerializer[T, String] {
+
+  override def serialize(session: T): String = {
+    val encoded = java.net.URLEncoder
+      .encode(
+        session.data
+          .filterNot(_._1.contains(":"))
+          .map(d => d._1 + ":" + d._2)
+          .mkString("\u0000"),
+        "UTF-8"
+      )
+    Crypto.sign(encoded, serverSecret) + "-" + encoded
+  }
+
+  override def deserialize(r: String): Try[T] = {
+    def urldecode(data: String): Map[String, String] =
+      Map[String, String](
+        java.net.URLDecoder
+          .decode(data, "UTF-8")
+          .split("\u0000")
+          .map(_.split(":"))
+          .map(p => p(0) -> p.drop(1).mkString(":")): _*
+      )
+
+    // Do not change this unless you understand the security issues behind timing attacks.
+    // This method intentionally runs in constant time if the two strings have the same length.
+    // If it didn't, it would be vulnerable to a timing attack.
+    def safeEquals(a: String, b: String): Boolean = {
+      if (a.length != b.length) false
+      else {
+        var equal = 0
+        for (i <- Array.range(0, a.length)) {
+          equal |= a(i) ^ b(i)
+        }
+        equal == 0
+      }
+    }
+
+    Try {
+      val split = r.split("-")
+      val message = split.tail.mkString("-")
+      if (safeEquals(split(0), Crypto.sign(message, serverSecret)))
+        companion.newSession.withData(urldecode(message))
+      else
+        throw new Exception("corrupted encrypted data")
+    }
+  }
+}

session/common/src/main/scala/app/softnetwork/session/model/JwtClaimsCompanion.scala

@@ -0,0 +1,90 @@
+package app.softnetwork.session.model
+
+import app.softnetwork.persistence.generateUUID
+import com.softwaremill.session.{SessionConfig, SessionResult}
+import org.json4s._
+import org.json4s.jackson.JsonMethods._
+import org.softnetwork.session.model.JwtClaims
+
+import java.util.Base64
+import scala.util.Try
+
+trait JwtClaimsCompanion extends SessionDataCompanion[JwtClaims] with JwtClaimsKeys {
+  override def newSession: JwtClaims = JwtClaims.defaultInstance
+
+  override def apply(s: String): JwtClaims =
+    Try {
+      val sCleaned = if (s.startsWith("Bearer")) s.substring(7).trim else s
+      val List(_, p, _) = sCleaned.split("\\.").toList
+      val decodedValue = Try {
+        parse(new String(Base64.getUrlDecoder.decode(p), "utf-8"))
+      }
+      for (jv <- decodedValue) yield {
+        val iss = jv \\ "iss" match {
+          case JString(value) => Some(value)
+          case _              => None
+        }
+        val sub = jv \\ "sub" match {
+          case JString(value) => Some(value)
+          case _              => None
+        }
+        val aud = jv \\ "aud" match {
+          case JString(value) => Some(value)
+          case _              => None
+        }
+        val exp = jv \\ "exp" match {
+          case JInt(value) => Some(value.toLong)
+          case _           => None
+        }
+        val nbf = jv \\ "nbf" match {
+          case JInt(value) => Some(value.toLong)
+          case _           => None
+        }
+        val iat = jv \\ "iat" match {
+          case JInt(value) => Some(value.toLong)
+          case _           => None
+        }
+        val jti = jv \\ "jti" match {
+          case JString(value) => Some(value)
+          case _              => None
+        }
+        JwtClaims(
+          Map.empty,
+          _refreshable,
+          iss,
+          sub,
+          aud,
+          exp,
+          nbf,
+          iat,
+          jti
+        ).withId(sub.getOrElse(generateUUID()))
+      }
+    }.flatten.toOption.getOrElse(JwtClaims())
+
+  def decode(s: String, clientSecret: String): Option[JwtClaims] = {
+    val config = SessionConfig.default(clientSecret)
+    JwtClaimsEncoder
+      .decode(s, config)
+      .map { dr =>
+        val expired = config.sessionMaxAgeSeconds.fold(false)(_ =>
+          System.currentTimeMillis() > dr.expires.getOrElse(Long.MaxValue)
+        )
+        if (expired) {
+          SessionResult.Expired
+        } else if (!dr.signatureMatches) {
+          SessionResult.Corrupt(new RuntimeException("Corrupt signature"))
+        } else if (dr.isLegacy) {
+          SessionResult.DecodedLegacy(dr.t)
+        } else {
+          SessionResult.Decoded(dr.t)
+        }
+      }
+      .recover { case t: Exception => SessionResult.Corrupt(t) }
+      .get match {
+      case SessionResult.Decoded(claims) => Some(claims)
+      case _                             => None
+    }
+  }
+
+}

session/common/src/main/scala/app/softnetwork/session/model/JwtClaimsDecorator.scala

@@ -0,0 +1,34 @@
+package app.softnetwork.session.model
+
+import com.softwaremill.session.SessionConfig
+import org.softnetwork.session.model.JwtClaims
+
+trait JwtClaimsDecorator extends SessionDataDecorator[JwtClaims] with JwtClaimsKeys {
+  self: JwtClaims =>
+
+  lazy val data: Map[String, String] = additionalClaims
+
+  override def withData(data: Map[String, String]): JwtClaims = withAdditionalClaims(data)
+
+  override def withId(id: String): JwtClaims =
+    synchronized {
+      dirty = true
+      withData(data + (idKey -> id)).withSub(id)
+    }
+
+  override lazy val clientId: Option[String] = iss.orElse(get(clientIdKey))
+
+  override def withClientId(clientId: String): JwtClaims =
+    synchronized {
+      dirty = true
+      withData(data + (clientIdKey -> clientId)).withIss(clientId)
+    }
+
+  def encode(clientId: String, clientSecret: String): String = {
+    JwtClaimsEncoder.encode(
+      this.withIss(clientId),
+      System.currentTimeMillis(),
+      SessionConfig.default(clientSecret)
+    )
+  }
+}

session/common/src/main/scala/app/softnetwork/session/model/JwtClaimsEncoder.scala

@@ -0,0 +1,68 @@
+package app.softnetwork.session.model
+
+import app.softnetwork.concurrent.Completion
+import com.softwaremill.session._
+import org.json4s.{DefaultFormats, Formats, JValue}
+import org.softnetwork.session.model.{ApiKey, JwtClaims}
+
+import scala.concurrent.Future
+import scala.util.Try
+
+trait JwtClaimsEncoder extends SessionEncoder[JwtClaims] with Completion {
+
+  implicit def formats: Formats = DefaultFormats
+
+  implicit def sessionSerializer: SessionSerializer[JwtClaims, JValue] = SessionSerializers.jwt
+
+  def loadApiKey(clientId: String): Future[Option[ApiKey]]
+
+  def sessionEncoder = new JwtSessionEncoder[JwtClaims]
+
+  override def encode(t: JwtClaims, nowMillis: Long, config: SessionConfig): String = {
+    val jwt = config.jwt.copy(
+      issuer = t.iss.orElse(config.jwt.issuer),
+      subject = t.sub.orElse(config.jwt.subject),
+      audience = t.aud.orElse(config.jwt.audience)
+    )
+    (t.iss match {
+      case Some(iss) =>
+        (loadApiKey(iss) complete ()).toOption.flatten
+      case _ => None
+    }) match {
+      case Some(apiKey) if apiKey.clientSecret.isDefined =>
+        sessionEncoder.encode(
+          t,
+          nowMillis,
+          config.copy(jwt = jwt, serverSecret = apiKey.clientSecret.get)
+        )
+      case _ => sessionEncoder.encode(t, nowMillis, config.copy(jwt = jwt))
+    }
+  }
+
+  override def decode(s: String, config: SessionConfig): Try[DecodeResult[JwtClaims]] = {
+    val jwtClaims = JwtClaims(s)
+    val maybeClientId =
+      if (jwtClaims.iss.contains(config.jwt.issuer.getOrElse(""))) jwtClaims.sub
+      else jwtClaims.iss
+    val innerConfig = (maybeClientId match {
+      case Some(clientId) =>
+        (loadApiKey(clientId) complete ()).toOption.flatten.flatMap(_.clientSecret)
+      case _ => None
+    }) match {
+      case Some(clientSecret) =>
+        config.copy(serverSecret = clientSecret)
+      case _ =>
+        config
+    }
+    sessionEncoder
+      .decode(s, innerConfig)
+      .map(result =>
+        result.copy(t = jwtClaims.copy(additionalClaims = result.t.data ++ jwtClaims.data))
+      )
+
+  }
+}
+
+case object JwtClaimsEncoder extends JwtClaimsEncoder {
+  override def loadApiKey(clientId: String): Future[Option[ApiKey]] = Future.successful(None)
+}

session/common/src/main/scala/app/softnetwork/session/model/JwtClaimsKeys.scala

@@ -0,0 +1,7 @@
+package app.softnetwork.session.model
+
+trait JwtClaimsKeys extends SessionDataKeys {
+
+  override lazy val idKey = "id"
+
+}

session/common/src/main/scala/app/softnetwork/session/model/JwtSessionSerializer.scala

@@ -0,0 +1,21 @@
+package app.softnetwork.session.model
+
+import com.softwaremill.session.SessionSerializer
+import org.json4s.jackson.JsonMethods.asJValue
+import org.json4s.{DefaultFormats, DefaultWriters, Formats, JValue}
+
+import scala.util.Try
+
+class JwtSessionSerializer[T <: SessionData](implicit companion: SessionDataCompanion[T])
+    extends SessionSerializer[T, JValue] {
+
+  implicit val formats: Formats = DefaultFormats
+
+  import DefaultWriters._
+
+  override def serialize(t: T): JValue = asJValue(t.data)
+
+  override def deserialize(r: JValue): Try[T] = Try {
+    companion.newSession.withData(r.extract[Map[String, String]])
+  }
+}