From 71a55eae4d2874080e25c3f9b646f7fbd4767612 Mon Sep 17 00:00:00 2001
From: Daniel Kleveros <daniel.kleveros@walmart.com>
Date: Sun, 24 Sep 2023 19:51:35 -0700
Subject: [PATCH] adding handling for bearer tokens

---
 .../server/plugins/pfedsso/SsoClient.java     |  8 ++---
 .../server/plugins/pfedsso/SsoHandler.java    | 35 +++++++++++++++----
 2 files changed, 32 insertions(+), 11 deletions(-)

diff --git a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoClient.java b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoClient.java
index 5e4f83dc82..ed53348bc8 100644
--- a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoClient.java
+++ b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoClient.java
@@ -126,9 +126,9 @@ public String getTokenSigningKey() throws IOException {
         }
     }
 
-    public Profile getUserProfile(String refreshToken) throws IOException {
+    public Profile getUserProfileFromRefreshToken(String refreshToken) throws IOException {
         Token token = getTokenByRefreshToken(refreshToken);
-        return getProfile(token);
+        return getProfile(token.accessToken());
     }
 
     private Token getToken(String urlParameters) throws IOException {
@@ -178,7 +178,7 @@ private void postRequest(HttpURLConnection con, String urlParameters) throws IOE
         }
     }
 
-    private Profile getProfile(Token token) throws IOException {
+    public Profile getProfile(String accessToken) throws IOException {
         if (cfg.getUserInfoEndpointUrl() == null) {
             return null;
         }
@@ -186,7 +186,7 @@ private Profile getProfile(Token token) throws IOException {
         try {
             URL url = new URL(cfg.getUserInfoEndpointUrl());
             con = (HttpURLConnection) url.openConnection();
-            String authzHeaderValue = String.format("Bearer %s", token.accessToken());
+            String authzHeaderValue = String.format("Bearer %s", accessToken);
             con.setRequestProperty(HttpHeaders.AUTHORIZATION, authzHeaderValue);
             con.setRequestProperty(HttpHeaders.CONTENT_TYPE, CONTENT_TYPE_HEADER);
             con.setRequestMethod("GET");
diff --git a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java
index f7aaa47d2a..8c1df8c17c 100644
--- a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java
+++ b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java
@@ -56,29 +56,34 @@ public AuthenticationToken createToken(ServletRequest request, ServletResponse r
 
         HttpServletRequest req = WebUtils.toHttp(request);
 
-        String token = SsoCookies.getTokenCookie(req);
-        if (token == null) {
+        String bearerToken = extractTokenFromRequest(req);
+        String incomingToken = bearerToken != null ? bearerToken : SsoCookies.getTokenCookie(req);
+
+        if (incomingToken == null) {
             return null;
         }
 
-        String login = jwtAuthenticator.validateTokenAndGetLogin(token);
+        //TODO: If token comes in from bearer token, then this should be an access_token.
+        // Use this directly to get the user profile i.e. ssoClient.getProfile(accessToken);
+
+        String login = jwtAuthenticator.validateTokenAndGetLogin(incomingToken);
         if (login == null) {
             return null;
         }
 
-        String[] as = parseDomain(login);
+        String[] as = parseDomain(login); //TODO: Can we not get this info from userInfo endpoint? i.e. SsoClient.Profile
 
-        String refreshToken = SsoCookies.getRefreshCookie(req);
-        // get userprofile send the response as null if refreshToken is expired or used
         SsoClient.Profile profile;
         try {
-            profile = ssoClient.getUserProfile(refreshToken);
+            profile = bearerToken != null ? ssoClient.getProfile(bearerToken) : ssoClient.getUserProfileFromRefreshToken(incomingToken);
+
         } catch (IOException e) {
             return null;
         }
         if (profile == null) {
             return null;
         }
+        //TODO: User name and domain should be returned by the userInfo endpoint(profile) "sub". Do we really need these two? as[0], as[1]
         return new SsoToken(as[0], as[1], profile.displayName(), profile.mail(), profile.userPrincipalName(), profile.nameInNamespace(), profile.groups());
     }
 
@@ -112,4 +117,20 @@ private String[] parseDomain(String s) {
         String domain = s.substring(pos + 1);
         return new String[]{username, domain};
     }
+
+    private String extractTokenFromRequest(HttpServletRequest request) {
+        final String value = request.getHeader("Authorization");
+
+        if (value == null || !value.toLowerCase().startsWith("bearer")) {
+            return null;
+        }
+
+        String[] parts = value.split(" ");
+
+        if (parts.length < 2) {
+            return null;
+        }
+
+        return parts[1].trim();
+    }
 }