1 /*
2  *  Make.org Core API
3  *  Copyright (C) 2018 Make.org
4  *
5  * This program is free software: you can redistribute it and/or modify
6  *  it under the terms of the GNU Affero General Public License as
7  *  published by the Free Software Foundation, either version 3 of the
8  *  License, or (at your option) any later version.
9  *
10  *  This program is distributed in the hope that it will be useful,
11  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
12  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13  *  GNU Affero General Public License for more details.
14  *
15  *  You should have received a copy of the GNU Affero General Public License
16  *  along with this program.  If not, see <https://www.gnu.org/licenses/>.
17  *
18  */
19 
20 package org.make.api.technical.auth
21 
22 import akka.http.scaladsl.model.StatusCodes
23 import akka.http.scaladsl.server.{Directives, PathMatcher1, Route}
24 import eu.timepit.refined.api.Refined
25 import eu.timepit.refined.api.Validate
26 import eu.timepit.refined.auto._
27 import eu.timepit.refined.string.Uri
28 import grizzled.slf4j.Logging
29 import io.circe.generic.semiauto.{deriveDecoder, deriveEncoder}
30 import io.circe.refined._
31 import io.circe.{Decoder, Encoder}
32 import io.swagger.annotations._
33 import org.make.api.operation.OperationServiceComponent
34 import org.make.api.question.QuestionServiceComponent
35 import org.make.api.technical.MakeDirectives.MakeDirectivesDependencies
36 import org.make.api.technical._
37 import org.make.api.technical.directives.FutureDirectivesExtensions._
38 import org.make.api.user.UserServiceComponent
39 import org.make.core.Validation._
40 import org.make.core.auth.{Client, ClientId, UserRights}
41 import org.make.core.technical.Pagination
42 import org.make.core.user.{CustomRole, Role, User, UserId}
43 import org.make.core.{HttpCodes, ParameterExtractors, Requirement, Validation}
44 import scalaoauth2.provider._
45 
46 import javax.ws.rs.Path
47 import scala.annotation.meta.field
48 import scala.concurrent.Future
49 
50 @Api(value = "Client OAuth")
51 @Path(value = "/admin/clients")
52 trait AdminClientApi extends Directives {
53   @ApiOperation(
54     value = "create-oauth-client",
55     httpMethod = "POST",
56     code = HttpCodes.OK,
57     authorizations = Array(
58       new Authorization(
59         value = "MakeApi",
60         scopes = Array(new AuthorizationScope(scope = "admin", description = "BO Admin"))
61       )
62     )
63   )
64   @ApiImplicitParams(
65     value = Array(
66       new ApiImplicitParam(
67         name = "body",
68         paramType = "body",
69         dataType = "org.make.api.technical.auth.AdminCreateClientRequest"
70       )
71     )
72   )
73   @ApiResponses(value = Array(new ApiResponse(code = HttpCodes.OK, message = "Ok", response = classOf[ClientResponse])))
74   @Path(value = "/")
75   def createClient: Route
76 
77   @ApiOperation(
78     value = "update-oauth-client",
79     httpMethod = "PUT",
80     code = HttpCodes.OK,
81     authorizations = Array(
82       new Authorization(
83         value = "MakeApi",
84         scopes = Array(new AuthorizationScope(scope = "admin", description = "BO Admin"))
85       )
86     )
87   )
88   @ApiImplicitParams(
89     value = Array(
90       new ApiImplicitParam(name = "clientId", paramType = "path", dataType = "string"),
91       new ApiImplicitParam(
92         name = "body",
93         paramType = "body",
94         dataType = "org.make.api.technical.auth.AdminCreateClientRequest"
95       )
96     )
97   )
98   @ApiResponses(value = Array(new ApiResponse(code = HttpCodes.OK, message = "Ok", response = classOf[ClientResponse])))
99   @Path(value = "/{clientId}")
100   def updateClient: Route
101 
102   @ApiOperation(
103     value = "get-oauth-client",
104     httpMethod = "GET",
105     code = HttpCodes.OK,
106     authorizations = Array(
107       new Authorization(
108         value = "MakeApi",
109         scopes = Array(new AuthorizationScope(scope = "admin", description = "BO Admin"))
110       )
111     )
112   )
113   @ApiResponses(value = Array(new ApiResponse(code = HttpCodes.OK, message = "Ok", response = classOf[ClientResponse])))
114   @ApiImplicitParams(value = Array(new ApiImplicitParam(name = "clientId", paramType = "path", dataType = "string")))
115   @Path(value = "/{clientId}")
116   def getClient: Route
117 
118   @ApiOperation(
119     value = "list-oauth-client",
120     httpMethod = "GET",
121     code = HttpCodes.OK,
122     authorizations = Array(
123       new Authorization(
124         value = "MakeApi",
125         scopes = Array(new AuthorizationScope(scope = "admin", description = "BO Admin"))
126       )
127     )
128   )
129   @ApiImplicitParams(
130     value = Array(
131       new ApiImplicitParam(
132         name = "_start",
133         paramType = "query",
134         dataType = "int",
135         allowableValues = "range[0, infinity]"
136       ),
137       new ApiImplicitParam(
138         name = "_end",
139         paramType = "query",
140         dataType = "int",
141         allowableValues = "range[0, infinity]"
142       ),
143       new ApiImplicitParam(name = "name", paramType = "query", dataType = "string")
144     )
145   )
146   @ApiResponses(
147     value = Array(new ApiResponse(code = HttpCodes.OK, message = "Ok", response = classOf[Array[ClientResponse]]))
148   )
149   @Path(value = "/")
150   def listClients: Route
151 
152   def routes: Route = createClient ~ getClient ~ listClients ~ updateClient
153 }
154 
155 trait AdminClientApiComponent {
156   def adminClientApi: AdminClientApi
157 }
158 
159 trait DefaultAdminClientApiComponent
160     extends AdminClientApiComponent
161     with MakeDirectives
162     with MakeAuthenticationDirectives
163     with Logging
164     with ParameterExtractors {
165   self: MakeDirectivesDependencies
166     with ClientServiceComponent
167     with UserServiceComponent
168     with QuestionServiceComponent
169     with OperationServiceComponent =>
170 
171   override lazy val adminClientApi: AdminClientApi = new DefaultAdminClientApi
172 
173   class DefaultAdminClientApi extends AdminClientApi {
174 
175     val clientId: PathMatcher1[ClientId] = Segment.map(id => ClientId(id))
176 
177     override def createClient: Route =
178       post {
179         path("admin" / "clients") {
180           makeOperation("AdminCreateOauthClient") { _ =>
181             makeOAuth2 { auth: AuthInfo[UserRights] =>
182               requireAdminRole(auth.user) {
183                 decodeRequest {
184                   entity(as[AdminCreateClientRequest]) { request: AdminCreateClientRequest =>
185                     val futureUser = request.defaultUserId match {
186                       case Some(id) => userService.getUser(id)
187                       case None     => Future.successful(None)
188                     }
189                     futureUser.asDirective { maybeUser =>
190                       Validation.validate(AdminCreateClientRequest.validations(request, maybeUser): _*)
191                       onSuccess(
192                         clientService.createClient(
193                           name = request.name,
194                           allowedGrantTypes = request.allowedGrantTypes.map(_.value),
195                           secret = request.secret,
196                           scope = request.scope,
197                           redirectUri = request.redirectUri.map(_.value),
198                           defaultUserId = request.defaultUserId,
199                           roles = request.roles.map(CustomRole.apply),
200                           tokenExpirationSeconds = request.tokenExpirationSeconds,
201                           refreshExpirationSeconds = request.refreshExpirationSeconds,
202                           reconnectExpirationSeconds = request.reconnectExpirationSeconds
203                         )
204                       ) { client =>
205                         complete(StatusCodes.Created -> ClientResponse(client))
206                       }
207                     }
208                   }
209                 }
210               }
211             }
212           }
213         }
214       }
215 
216     override def getClient: Route = get {
217       path("admin" / "clients" / clientId) { clientId =>
218         makeOperation("AdminGetOauthClient") { _ =>
219           makeOAuth2 { userAuth: AuthInfo[UserRights] =>
220             requireAdminRole(userAuth.user) {
221               clientService.getClient(clientId).asDirectiveOrNotFound { client =>
222                 complete(ClientResponse(client))
223               }
224             }
225           }
226         }
227       }
228     }
229 
230     override def updateClient: Route = put {
231       path("admin" / "clients" / clientId) { clientId =>
232         makeOperation("AdminUpdateOauthClient") { _ =>
233           makeOAuth2 { userAuth: AuthInfo[UserRights] =>
234             requireAdminRole(userAuth.user) {
235               decodeRequest {
236                 entity(as[AdminCreateClientRequest]) { request: AdminCreateClientRequest =>
237                   val futureUser = request.defaultUserId match {
238                     case Some(id) => userService.getUser(id)
239                     case None     => Future.successful(None)
240                   }
241                   futureUser.asDirective { maybeUser =>
242                     Validation.validate(AdminCreateClientRequest.validations(request, maybeUser): _*)
243                     clientService
244                       .updateClient(
245                         clientId = clientId,
246                         name = request.name,
247                         allowedGrantTypes = request.allowedGrantTypes.map(_.value),
248                         secret = request.secret,
249                         scope = request.scope,
250                         redirectUri = request.redirectUri.map(_.value),
251                         defaultUserId = request.defaultUserId,
252                         roles = request.roles.map(CustomRole.apply),
253                         tokenExpirationSeconds = request.tokenExpirationSeconds,
254                         refreshExpirationSeconds = request.refreshExpirationSeconds,
255                         reconnectExpirationSeconds = request.reconnectExpirationSeconds
256                       )
257                       .asDirectiveOrNotFound { client =>
258                         complete(ClientResponse(client))
259                       }
260                   }
261                 }
262               }
263             }
264           }
265         }
266       }
267     }
268 
269     override def listClients: Route = get {
270       path("admin" / "clients") {
271         makeOperation("AdminListOauthClient") { _ =>
272           parameters("_start".as[Pagination.Offset].?, "_end".as[Pagination.End].?, "name".?) { (offset, end, name) =>
273             makeOAuth2 { userAuth: AuthInfo[UserRights] =>
274               requireAdminRole(userAuth.user) {
275                 clientService.count(name).asDirective { count =>
276                   onSuccess(clientService.search(offset.orZero, end, name)) { clients =>
277                     complete((StatusCodes.OK, List(`X-Total-Count`(count.toString)), clients.map(ClientResponse.apply)))
278                   }
279                 }
280               }
281             }
282           }
283         }
284       }
285     }
286 
287   }
288 }
289 
290 final case class ClientResponse(
291   @(ApiModelProperty @field)(dataType = "string", example = "11111111-2222-3333-4444-555555555555", required = true)
292   id: ClientId,
293   name: String,
294   @(ApiModelProperty @field)(
295     dataType = "string",
296     allowableValues = AdminCreateClientRequest.swaggerAllowableValues,
297     required = true
298   )
299   allowedGrantTypes: Seq[String],
300   @(ApiModelProperty @field)(dataType = "string", example = "11111111-2222-3333-4444-555555555555")
301   secret: Option[String],
302   @(ApiModelProperty @field)(dataType = "string", example = "11111111-2222-3333-4444-555555555555")
303   scope: Option[String],
304   @(ApiModelProperty @field)(dataType = "string", example = "https://example.com/redirect-uri")
305   redirectUri: Option[String],
306   @(ApiModelProperty @field)(dataType = "string", example = "11111111-2222-3333-4444-555555555555")
307   defaultUserId: Option[UserId],
308   @(ApiModelProperty @field)(dataType = "list[string]", allowableValues = Role.swaggerAllowableValues, required = true)
309   roles: Seq[Role],
310   @(ApiModelProperty @field)(dataType = "int", example = "300", required = true)
311   tokenExpirationSeconds: Int,
312   @(ApiModelProperty @field)(dataType = "int", example = "1500", required = true)
313   refreshExpirationSeconds: Int,
314   @(ApiModelProperty @field)(dataType = "int", example = "900", required = true)
315   reconnectExpirationSeconds: Int
316 )
317 
318 object ClientResponse {
319   implicit val encoder: Encoder[ClientResponse] = deriveEncoder[ClientResponse]
320   implicit val decoder: Decoder[ClientResponse] = deriveDecoder[ClientResponse]
321   def apply(client: Client): ClientResponse =
322     ClientResponse(
323       id = client.clientId,
324       name = client.name,
325       allowedGrantTypes = client.allowedGrantTypes,
326       secret = client.secret,
327       scope = client.scope,
328       redirectUri = client.redirectUri,
329       defaultUserId = client.defaultUserId,
330       roles = client.roles,
331       tokenExpirationSeconds = client.tokenExpirationSeconds,
332       refreshExpirationSeconds = client.refreshExpirationSeconds,
333       reconnectExpirationSeconds = client.reconnectExpirationSeconds
334     )
335 }
336 
337 final case class AdminCreateClientRequest(
338   name: String Refined ValidHtml,
339   @(ApiModelProperty @field)(dataType = "string", example = "s3Cr3T")
340   secret: Option[String],
341   @(ApiModelProperty @field)(
342     dataType = "string",
343     allowableValues = AdminCreateClientRequest.swaggerAllowableValues,
344     required = true
345   )
346   allowedGrantTypes: Seq[String Refined AdminCreateClientRequest.GrantType],
347   scope: Option[String],
348   @(ApiModelProperty @field)(dataType = "string", example = "https://example.com/redirect-uri")
349   redirectUri: Option[String Refined Uri],
350   @(ApiModelProperty @field)(dataType = "string", example = "11111111-2222-3333-4444-555555555555")
351   defaultUserId: Option[UserId],
352   @(ApiModelProperty @field)(dataType = "list[string]", allowableValues = Role.swaggerAllowableValues)
353   roles: Seq[String],
354   @(ApiModelProperty @field)(dataType = "int", example = "300", required = true)
355   tokenExpirationSeconds: Int,
356   @(ApiModelProperty @field)(dataType = "int", example = "1500", required = true)
357   refreshExpirationSeconds: Int,
358   @(ApiModelProperty @field)(dataType = "int", example = "900", required = true)
359   reconnectExpirationSeconds: Int
360 )
361 
362 object AdminCreateClientRequest {
363   implicit val encoder: Encoder[AdminCreateClientRequest] = deriveEncoder[AdminCreateClientRequest]
364   implicit val decoder: Decoder[AdminCreateClientRequest] = deriveDecoder[AdminCreateClientRequest]
365   val validGrantTypes: Set[String] = Set(
366     OAuthGrantType.AUTHORIZATION_CODE,
367     OAuthGrantType.REFRESH_TOKEN,
368     OAuthGrantType.CLIENT_CREDENTIALS,
369     OAuthGrantType.PASSWORD,
370     OAuthGrantType.IMPLICIT
371   )
372   final val swaggerAllowableValues = "authorization_code,refresh_token,client_credentials,password,implicit"
373 
374   final case class GrantType()
375   implicit val validateGrantType: Validate.Plain[String, GrantType] =
376     Validate.fromPredicate[String, GrantType](validGrantTypes.contains, t => s"GrantType($t)", GrantType())
377 
378   def validations(request: AdminCreateClientRequest, maybeUser: Option[User]): Seq[Requirement] =
379     Seq(
380       Validation.validateField(
381         "defaultUserId",
382         "not_found",
383         request.defaultUserId.isEmpty || maybeUser.isDefined,
384         s"User ${request.defaultUserId} not found."
385       )
386     )
387 
388 }