Add initial implementation.

Signed-off-by: Paulo Pires <pjpires@gmail.com>

Author: pires

build.gradle

@@ -0,0 +1,52 @@
+plugins {
+    id 'java'
+    id 'application'
+    id 'com.github.johnrengelman.shadow' version '2.0.1'
+}
+
+group 'com.travelaudience.nexus'
+version '1.0.0-SNAPSHOT'
+
+mainClassName = 'io.vertx.core.Launcher'
+sourceCompatibility = 1.8
+targetCompatibility = 1.8
+
+dependencies {
+    compile 'com.github.ben-manes.caffeine:caffeine:2.5.2'
+    compile 'com.google.apis:google-api-services-cloudresourcemanager:v1beta1-rev446-1.22.0'
+    compile 'com.google.apis:google-api-services-oauth2:v1-rev127-1.22.0'
+    compile 'io.vertx:vertx-auth-jwt:3.4.2'
+    compile 'io.vertx:vertx-unit:3.4.2'
+    compile 'io.vertx:vertx-web:3.4.2'
+    testCompile 'org.powermock:powermock-api-mockito2:1.7.0'
+    testCompile 'org.powermock:powermock-module-junit4:1.7.0'
+}
+
+repositories {
+    mavenCentral()
+}
+
+test {
+    // the following are not needed until e2e tests are made available
+    systemProperty "ORGANIZATION_ID", "ORGANIZATION_ID"
+    systemProperty "CLIENT_ID", "CLIENT_ID"
+    systemProperty "CLIENT_SECRET", "CLIENT_SECRET"
+}
+
+shadowJar {
+    classifier = null
+
+    manifest {
+        attributes 'Main-Verticle': 'com.travelaudience.devops.nexus.proxy.NexusProxyVerticle'
+    }
+    mergeServiceFiles {
+        include 'META-INF/services/io.vertx.core.spi.VerticleFactory'
+    }
+
+    version = null
+}
+
+task wrapper(type: Wrapper) {
+    distributionUrl = "https://services.gradle.org/distributions/gradle-$gradleVersion-all.zip"
+    gradleVersion = '4.0.1'
+}

settings.gradle

@@ -0,0 +1 @@
+rootProject.name = 'nexus-google-iam-proxy'

src/main/java/com/travelaudience/nexus/proxy/CachingGoogleAuthCodeFlow.java

@@ -0,0 +1,197 @@
+package com.travelaudience.nexus.proxy;
+
+import com.github.benmanes.caffeine.cache.Caffeine;
+import com.github.benmanes.caffeine.cache.LoadingCache;
+import com.google.api.client.auth.oauth2.Credential;
+import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeFlow;
+import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
+import com.google.api.client.googleapis.auth.oauth2.GoogleTokenResponse;
+import com.google.api.client.http.HttpTransport;
+import com.google.api.client.http.javanet.NetHttpTransport;
+import com.google.api.client.json.JsonFactory;
+import com.google.api.client.json.jackson2.JacksonFactory;
+import com.google.api.client.util.store.DataStoreFactory;
+import com.google.api.client.util.store.MemoryDataStoreFactory;
+import com.google.api.services.cloudresourcemanager.CloudResourceManager;
+import com.google.api.services.cloudresourcemanager.model.Organization;
+import com.google.common.collect.ImmutableSet;
+
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.util.List;
+import java.util.Set;
+
+import static com.google.api.services.cloudresourcemanager.CloudResourceManagerScopes.CLOUD_PLATFORM_READ_ONLY;
+import static com.google.api.services.oauth2.Oauth2Scopes.USERINFO_EMAIL;
+import static java.util.concurrent.TimeUnit.MILLISECONDS;
+
+/**
+ * Wraps {@link GoogleAuthorizationCodeFlow} caching authorization results and providing unchecked methods.
+ */
+public class CachingGoogleAuthCodeFlow {
+    private static final DataStoreFactory DATA_STORE_FACTORY = new MemoryDataStoreFactory();
+    private static final HttpTransport HTTP_TRANSPORT = new NetHttpTransport();
+    private static final JsonFactory JSON_FACTORY = JacksonFactory.getDefaultInstance();
+    private static final Set<String> SCOPES = ImmutableSet.of(CLOUD_PLATFORM_READ_ONLY, USERINFO_EMAIL);
+
+    private final LoadingCache<String, Boolean> authCache;
+    private final GoogleAuthorizationCodeFlow authFlow;
+    private final String organizationId;
+    private final String redirectUri;
+
+    private CachingGoogleAuthCodeFlow(final int authCacheTtl,
+                                      final String clientId,
+                                      final String clientSecret,
+                                      final String organizationId,
+                                      final String redirectUri) throws IOException {
+        this.authCache = Caffeine.newBuilder()
+                .maximumSize(4096)
+                .expireAfterWrite(authCacheTtl, MILLISECONDS)
+                .build(k -> this.isOrganizationMember(k, true));
+        this.authFlow = new GoogleAuthorizationCodeFlow.Builder(
+                HTTP_TRANSPORT,
+                JSON_FACTORY,
+                clientId,
+                clientSecret,
+                SCOPES
+        ).setDataStoreFactory(
+                DATA_STORE_FACTORY
+        ).setAccessType(
+                "offline"
+        ).setApprovalPrompt(
+                "force"
+        ).build();
+        this.organizationId = organizationId;
+        this.redirectUri = redirectUri;
+    }
+
+    /**
+     * Creates a new instance of {@link CachingGoogleAuthCodeFlow}.
+     *
+     * @param authCacheTtl   the amount of time (in ms) during which to cache the fact that a user is authorized.
+     * @param clientId       the application's client ID.
+     * @param clientSecret   the application's client secret.
+     * @param organizationId the organization ID.
+     * @param redirectUri    the URL which to redirect users to in the end of the authentication flow.
+     * @return a new instance of {@link CachingGoogleAuthCodeFlow}.
+     */
+    public static final CachingGoogleAuthCodeFlow create(final int authCacheTtl,
+                                                         final String clientId,
+                                                         final String clientSecret,
+                                                         final String organizationId,
+                                                         final String redirectUri) {
+        try {
+            return new CachingGoogleAuthCodeFlow(authCacheTtl, clientId, clientSecret, organizationId, redirectUri);
+        } catch (final IOException ex) {
+            throw new UncheckedIOException(ex);
+        }
+    }
+
+    /**
+     * Returns the full authorization code request URL (complete with the redirect URL).
+     *
+     * @return the full authorization code request URL (complete with the redirect URL).
+     */
+    public final String buildAuthorizationUri() {
+        return this.authFlow.newAuthorizationUrl().setRedirectUri(redirectUri).build();
+    }
+
+    /**
+     * Returns the principal authenticated by {@code token}.
+     *
+     * @param token an instance of {@link GoogleTokenResponse}.
+     * @return the principal authenticated by {@code token}.
+     */
+    public final String getPrincipal(final GoogleTokenResponse token) {
+        try {
+            return token.parseIdToken().getPayload().getEmail();
+        } catch (final IOException ex) {
+            throw new UncheckedIOException(ex);
+        }
+    }
+
+    /**
+     * Returns whether a given user is a member of the organization.
+     *
+     * @param userId the user's ID (typically his organization email address).
+     * @return whether a given user is a member of the organization.
+     */
+    public final boolean isOrganizationMember(final String userId) {
+        return isOrganizationMember(userId, false);
+    }
+
+    private final boolean isOrganizationMember(final String userId,
+                                               final boolean forceCheck) {
+        if (!forceCheck) {
+            return this.authCache.get(userId);
+        }
+
+        final Credential credential = this.loadCredential(userId);
+
+        if (credential == null) {
+            return false;
+        }
+
+        final GoogleCredential googleCredential = new GoogleCredential().setAccessToken(credential.getAccessToken());
+
+        final CloudResourceManager crm = new CloudResourceManager.Builder(
+                HTTP_TRANSPORT,
+                JSON_FACTORY,
+                googleCredential).setApplicationName(this.authFlow.getClientId()).build();
+
+        final List<Organization> organizations;
+
+        try {
+            organizations = crm.organizations().list().execute().getOrganizations();
+        } catch (final IOException ex) {
+            throw new UncheckedIOException(ex);
+        }
+
+        return organizations != null
+                && organizations.stream().anyMatch(org -> this.organizationId.equals(org.getOrganizationId()));
+    }
+
+    /**
+     * Loads the credential for the given user ID from the credential store.
+     *
+     * @param userId the user's ID.
+     * @return the credential found in the credential store for the given user ID or {@code null} if none is found.
+     */
+    public final Credential loadCredential(final String userId) {
+        try {
+            return this.authFlow.loadCredential(userId);
+        } catch (final IOException ex) {
+            throw new UncheckedIOException(ex);
+        }
+    }
+
+    /**
+     * Returns a {@link GoogleTokenResponse} corresponding to an authorization code token request based on the given
+     * authorization code.
+     *
+     * @param authorizationCode the authorization code to use.
+     * @return a {@link GoogleTokenResponse} corresponding to an authorization code token request based on the given
+     * authorization code.
+     */
+    public final GoogleTokenResponse requestToken(final String authorizationCode) {
+        try {
+            return this.authFlow.newTokenRequest(authorizationCode).setRedirectUri(this.redirectUri).execute();
+        } catch (final IOException ex) {
+            throw new UncheckedIOException(ex);
+        }
+    }
+
+    /**
+     * Stores the credential corresponding to the specified {@link GoogleTokenResponse}.
+     *
+     * @param token an instance of {@link GoogleTokenResponse}.
+     * @return the {@link Credential} corresponding to the specified {@link GoogleTokenResponse}.
+     */
+    public final Credential storeCredential(final GoogleTokenResponse token) {
+        try {
+            return this.authFlow.createAndStoreCredential(token, this.getPrincipal(token));
+        } catch (final IOException ex) {
+            throw new UncheckedIOException(ex);
+        }
+    }
+}

src/main/java/com/travelaudience/nexus/proxy/ContextKeys.java

@@ -0,0 +1,20 @@
+package com.travelaudience.nexus.proxy;
+
+import io.vertx.ext.web.RoutingContext;
+
+/**
+ * Holds strings corresponding to keys frequently set on {@link RoutingContext#data()}.
+ */
+public final class ContextKeys {
+    /**
+     * The key that holds the fact that there's an {@code Authorization} header on the current request.
+     */
+    public static final String HAS_AUTHORIZATION_HEADER = "has-authorization-header";
+    /**
+     * The key that holds the instance of {@link NexusHttpProxy} to use when serving the current request.
+     */
+    public static final String PROXY = "proxy";
+
+    private ContextKeys() {
+    }
+}

src/main/java/com/travelaudience/nexus/proxy/JwtAuth.java

@@ -0,0 +1,88 @@
+package com.travelaudience.nexus.proxy;
+
+import io.vertx.core.Vertx;
+import io.vertx.core.json.JsonArray;
+import io.vertx.core.json.JsonObject;
+import io.vertx.ext.auth.jwt.JWTAuth;
+import io.vertx.ext.auth.jwt.JWTOptions;
+
+import java.time.Duration;
+import java.util.List;
+import java.util.function.Consumer;
+
+import static java.time.temporal.ChronoUnit.DAYS;
+
+/**
+ * Provides utility methods for dealing with JWT-based authentication.
+ */
+public final class JwtAuth {
+    private static final String UID_KEY = "uid";
+
+    private final List<String> audience;
+    private final JWTAuth jwtAuth;
+    private final JWTOptions jwtOptions;
+
+    private JwtAuth(final Vertx vertx,
+                    final String keystorePath,
+                    final String keystorePass,
+                    final List<String> audience) {
+        this.jwtAuth = JWTAuth.create(vertx, new JsonObject().put("keyStore", new JsonObject()
+                .put("path", keystorePath)
+                .put("type", "jceks")
+                .put("password", keystorePass)));
+        this.jwtOptions = new JWTOptions()
+                .setAudience(audience)
+                .setAlgorithm("RS256")
+                .setExpiresInSeconds(Duration.of(365, DAYS).getSeconds());
+        this.audience = audience;
+    }
+
+    /**
+     * Creates a new instance of {@link JwtAuth}.
+     *
+     * @param vertx        the base {@link Vertx} instance.
+     * @param keystorePath the path to the keystore containing the signing key.
+     * @param keystorePass the password to the keystore containing the signing key.
+     * @param audience     the intended audience of the generated tokens.
+     * @return a new instance of {@link JwtAuth}.
+     */
+    public static final JwtAuth create(final Vertx vertx,
+                                       final String keystorePath,
+                                       final String keystorePass,
+                                       final List<String> audience) {
+        return new JwtAuth(vertx, keystorePath, keystorePass, audience);
+    }
+
+    /**
+     * Returns a new JWT for the specified user.
+     *
+     * @param userId the authenticated user.
+     * @return a new JWT for the specified user.
+     */
+    public final String generate(final String userId) {
+        return this.jwtAuth.generateToken(new JsonObject().put(UID_KEY, userId), this.jwtOptions);
+    }
+
+    /**
+     * Validates whether the specified {@code jwtToken} is valid, returning the user's ID if validation is successful or
+     * {@null} otherwise.
+     *
+     * @param jwtToken the JWT token with which the user is authenticating.
+     * @param handler  the result handler.
+     */
+    public final void validate(final String jwtToken,
+                               final Consumer<String> handler) {
+        final JsonObject authData = new JsonObject()
+                .put("jwt", jwtToken)
+                .put("options", new JsonObject()
+                        .put("audience", new JsonArray(audience)));
+
+        this.jwtAuth.authenticate(authData, res -> {
+            if (res.succeeded()) {
+                handler.accept(res.result().principal().getString(UID_KEY));
+            } else {
+                handler.accept(null);
+            }
+        });
+    }
+}