initial commit

Author: guFalcon

.gitattributes

@@ -0,0 +1 @@
+* text=auto eol=lf

.github/workflows/pipeline.yml

@@ -0,0 +1,28 @@
+name: PIPELINE
+
+on:
+ push:
+ branches:
+ - 'master'
+ workflow_dispatch:
+
+jobs:
+ bump:
+ uses: UnterrainerInformatik/bump-semver-workflow/.github/workflows/workflow.yml@master
+
+ build:
+ name: Build and publish to Maven Central 🚀
+ needs: bump
+ uses: UnterrainerInformatik/maven-central-workflow/.github/workflows/workflow.yml@master
+ with:
+ major_version: ${{ needs.bump.outputs.major_version }}
+ minor_version: ${{ needs.bump.outputs.minor_version }}
+ build_version: ${{ needs.bump.outputs.build_version }}
+ maven_profiles: release-to-sonatype
+ maven_args: -Dmaven.test.skip=true
+ secrets:
+ SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
+ SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
+ GPG_SECRET_KEY: ${{ secrets.GPG_SECRET_KEY }}
+ GPG_OWNERTRUST: ${{ secrets.GPG_OWNERTRUST }}
+ GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

.gitignore

@@ -21,4 +21,14 @@
 
 # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
 hs_err_pid*
-replay_pid*
+/target/
+
+src/main/java/info/unterrainer/commons/jreutils/Information.java
+
+.settings/
+
+.classpath
+
+bin/
+
+dependency-reduced-pom.xml

.project

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+<name>serialization</name>
+<comment></comment>
+<projects>
+</projects>
+<buildSpec>
+<buildCommand>
+<name>org.eclipse.jdt.core.javabuilder</name>
+<arguments>
+</arguments>
+</buildCommand>
+<buildCommand>
+<name>org.eclipse.m2e.core.maven2Builder</name>
+<arguments>
+</arguments>
+</buildCommand>
+</buildSpec>
+<natures>
+<nature>org.eclipse.jdt.core.javanature</nature>
+<nature>org.eclipse.m2e.core.maven2Nature</nature>
+</natures>
+</projectDescription>

Information.template

@@ -0,0 +1,7 @@
+package @package@;
+
+public class Information {
+public static final String name = "@name@";
+public static final String buildTime = "@buildTime@";
+public static final String pomVersion = "@pomVersion@";
+}

pom.xml

@@ -0,0 +1,67 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+<parent>
+<groupId>info.unterrainer.commons</groupId>
+<artifactId>parent-javalin-pom</artifactId>
+<version>1.0.2</version>
+</parent>
+
+<modelVersion>4.0.0</modelVersion>
+<artifactId>websocket-server</artifactId>
+<version>1.0.0</version>
+<name>WebsocketServer</name>
+<packaging>jar</packaging>
+
+<properties>
+<mainclass>info.unterrainer.commons.websocketserver.WebsocketServer</mainclass>
+<name>Websocket-Server</name>
+<package-path>info/unterrainer/commons/websocketserver</package-path>
+<packg-string>info.unterrainer.commons.websocketserver</packg-string>
+</properties>
+
+<dependencies>
+<!--Websocket Server-->
+<!-- And add org.keycloak:keycloak-core to ignoredUnused below...-->
+<dependency>
+<groupId>org.eclipse.jetty.websocket</groupId>
+<artifactId>websocket-api</artifactId>
+<version>9.4.38.v20210224</version>
+<scope>compile</scope>
+</dependency>
+<dependency>
+ <groupId>org.keycloak</groupId>
+ <artifactId>keycloak-admin-client</artifactId>
+ <version>26.0.4</version>
+</dependency>
+<dependency>
+<groupId>info.unterrainer.commons</groupId>
+<artifactId>http-server</artifactId>
+<version>1.0.0</version>
+</dependency>
+</dependencies>
+
+<build>
+<pluginManagement>
+<plugins>
+<plugin>
+<groupId>org.apache.maven.plugins</groupId>
+<artifactId>maven-dependency-plugin</artifactId>
+<executions>
+<execution>
+<id>analyze</id>
+<configuration>
+<ignoredUsedUndeclaredDependencies
+combine.children="append">
+<ignoredUsedUndeclaredDependencies>org.keycloak:keycloak-core</ignoredUsedUndeclaredDependencies>
+<ignoredUsedUndeclaredDependencies>org.keycloak:keycloak-common</ignoredUsedUndeclaredDependencies>
+</ignoredUsedUndeclaredDependencies>
+</configuration>
+</execution>
+</executions>
+</plugin>
+</plugins>
+</pluginManagement>
+</build>
+</project>

src/main/java/info/unterrainer/websocketserver/AiComm.java

@@ -0,0 +1,33 @@
+package info.unterrainer.websocketserver;
+
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+
+import io.javalin.websocket.WsConnectContext;
+import io.javalin.websocket.WsMessageContext;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public class AiComm extends WsOauthHandlerBase {
+
+private Set<WsConnectContext> connectedWsClients = ConcurrentHashMap.newKeySet();
+
+@Override
+public void onConnect(WsConnectContext ctx) throws Exception {
+super.onConnect(ctx);
+connectedWsClients.add(ctx);
+ctx.send("Welcome to our websocket-server!");
+}
+
+@Override
+public void onMessage(WsMessageContext ctx) throws Exception {
+super.onMessage(ctx);
+
+// Broadcast to all connected WS clients.
+for (WsConnectContext client : connectedWsClients) {
+if (client.session.isOpen()) {
+client.send("Echo from server: [" + ctx.message() + "]");
+}
+}
+}
+}

src/main/java/info/unterrainer/websocketserver/JwtTokenHandler.java

@@ -0,0 +1,136 @@
+package info.unterrainer.websocketserver;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.security.KeyFactory;
+import java.security.PublicKey;
+import java.security.spec.RSAPublicKeySpec;
+import java.util.Base64;
+
+import org.keycloak.TokenVerifier;
+import org.keycloak.common.VerificationException;
+import org.keycloak.representations.AccessToken;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+import info.unterrainer.commons.httpserver.exceptions.ForbiddenException;
+import info.unterrainer.commons.httpserver.exceptions.UnauthorizedException;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+@RequiredArgsConstructor
+public class JwtTokenHandler {
+
+private final String host;
+private final String realm;
+
+private String authUrl;
+private PublicKey publicKey = null;
+
+public void initPublicKey() {
+String correctedHost = host;
+String correctedRealm = realm;
+
+if (publicKey != null)
+return;
+if (!correctedHost.endsWith("/"))
+correctedHost += "/";
+if (!correctedRealm.startsWith("/"))
+correctedRealm = "/" + correctedRealm;
+
+authUrl = correctedHost + "realms" + correctedRealm + "/protocol/openid-connect/certs";
+try {
+log.info("Getting public key from: [{}]", authUrl);
+publicKey = fetchPublicKey(authUrl);
+} catch (Exception e) {
+log.error("There was an error fetching the PublicKey from the openIdConnect-server [{}].", authUrl);
+throw new IllegalStateException(e);
+}
+}
+
+private PublicKey fetchPublicKey(String jwksUrl) throws Exception {
+ObjectMapper objectMapper = new ObjectMapper();
+HttpClient client = HttpClient.newHttpClient();
+HttpRequest request = HttpRequest.newBuilder().uri(URI.create(jwksUrl)).GET().build();
+
+HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
+
+if (response.statusCode() >= 300) {
+throw new IOException("Failed to fetch JWKS: HTTP " + response.statusCode());
+}
+
+JsonNode jwks = objectMapper.readTree(response.body());
+// Just take the first key for now.
+JsonNode key = jwks.get("keys").get(0);
+
+String modulusBase64 = key.get("n").asText();
+String exponentBase64 = key.get("e").asText();
+
+byte[] modulusBytes = Base64.getUrlDecoder().decode(modulusBase64);
+byte[] exponentBytes = Base64.getUrlDecoder().decode(exponentBase64);
+
+BigInteger modulus = new BigInteger(1, modulusBytes);
+BigInteger exponent = new BigInteger(1, exponentBytes);
+
+RSAPublicKeySpec spec = new RSAPublicKeySpec(modulus, exponent);
+KeyFactory factory = KeyFactory.getInstance("RSA");
+return factory.generatePublic(spec);
+}
+
+public void checkAccess(String authorizationHeader) {
+try {
+TokenVerifier<AccessToken> tokenVerifier = persistUserInfoInContext(authorizationHeader);
+if (tokenVerifier == null)
+throw new UnauthorizedException();
+
+initPublicKey();
+tokenVerifier.publicKey(publicKey);
+try {
+tokenVerifier.verifySignature();
+} catch (VerificationException e) {
+throw new UnauthorizedException(
+"Error verifying token from user with publicKey obtained from keycloak.", e);
+}
+
+try {
+tokenVerifier.verify();
+throw new ForbiddenException();
+} catch (VerificationException e) {
+throw new ForbiddenException();
+}
+} catch (Exception e) {
+log.error("Error checking token.", e);
+throw e;
+}
+}
+
+private TokenVerifier<AccessToken> persistUserInfoInContext(String authorizationHeader) {
+if (authorizationHeader == null || authorizationHeader.isBlank())
+return null;
+
+try {
+TokenVerifier<AccessToken> tokenVerifier = TokenVerifier.create(authorizationHeader, AccessToken.class);
+AccessToken token = tokenVerifier.getToken();
+if (!token.isActive()) {
+log.warn("Token is inactive.");
+return null;
+}
+// Disabled to enable getting token from side-channels like 'localhost'.
+/*
+ * if (!token.getIssuer().equalsIgnoreCase(authUrl)) {
+ * setTokenRejectionReason(ctx, "Token has wrong real-url."); return null; }
+ */
+return tokenVerifier;
+
+} catch (VerificationException e) {
+log.warn("Token was checked and deemed invalid.", e);
+return null;
+}
+}
+}

src/main/java/info/unterrainer/websocketserver/WebsocketServer.java

@@ -0,0 +1,66 @@
+package info.unterrainer.websocketserver;
+
+import java.util.HashSet;
+import java.util.function.Consumer;
+
+import org.jetbrains.annotations.NotNull;
+
+import io.javalin.Javalin;
+import io.javalin.websocket.WsHandler;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public class WebsocketServer {
+
+private String keycloakHost;
+private String realm;
+private JwtTokenHandler tokenHandler;
+
+private Javalin wss;
+private boolean isOauthEnabled = false;
+
+public WebsocketServer() {
+wss = Javalin.create();
+}
+
+public WebsocketServer(String keycloakHost, String keycloakRealm) {
+this.keycloakHost = keycloakHost;
+this.realm = keycloakRealm;
+
+try {
+tokenHandler = new JwtTokenHandler(this.keycloakHost, this.realm);
+tokenHandler.initPublicKey();
+wss = Javalin.create();
+isOauthEnabled = true;
+} catch (Exception e) {
+// Exceptions will terminate a request later on, but should not terminate the
+// main-thread here.
+}
+}
+
+public WebsocketServer start(int port) {
+wss.start(port);
+log.debug("Websocket server started on port: {}", port);
+return this;
+}
+
+public WebsocketServer ws(@NotNull String path, @NotNull Consumer<WsHandler> ws) {
+wss.ws(path, ws, new HashSet<>());
+return this;
+}
+
+public WebsocketServer wsOauth(@NotNull String path, @NotNull WsOauthHandlerBase handler) {
+if (!isOauthEnabled) {
+throw new IllegalStateException("Websocket server is not configured for OAuth2/JWT support.");
+}
+
+handler.setTokenHandler(tokenHandler);
+wss.ws(path, ws -> {
+ws.onConnect(handler::onConnect);
+ws.onMessage(handler::onMessage);
+ws.onClose(handler::onClose);
+ws.onError(handler::onError);
+});
+return this;
+}
+}