backport/8.4: fix(common-authentication): Token not refreshed (#632)

* added final modifiers

* created AuthenticationBuilder interface, moved build method there

* moved noop log to constructor

* refactored authentication and builders

* better build next time before push

* added jsonMapper to saas auth

* formatter

Author: jonathanlukas

camunda-sdk-java/java-common/src/main/java/io/camunda/common/auth/Authentication.java

@@ -4,9 +4,11 @@
 
 public interface Authentication {
 
-  Authentication build();
-
   Map.Entry<String, String> getTokenHeader(Product product);
 
   void resetToken(Product product);
+
+  interface AuthenticationBuilder {
+    Authentication build();
+  }
 }

camunda-sdk-java/java-common/src/main/java/io/camunda/common/auth/DefaultNoopAuthentication.java

@@ -17,10 +17,8 @@ public class DefaultNoopAuthentication implements Authentication {
   private final String errorMessage =
       "Unable to determine authentication. Please check your configuration";
 
-  @Override
-  public Authentication build() {
+  public DefaultNoopAuthentication() {
     LOG.error(errorMessage);
-    return this;
   }
 
   @Override

camunda-sdk-java/java-common/src/main/java/io/camunda/common/auth/JwtAuthentication.java

@@ -1,7 +1,68 @@
 package io.camunda.common.auth;
 
-/**
- * TODO: Figure out common functionality between SaaS and Self Managed that can be inserted here to
- * reduce code duplication. If not, remove this class
- */
-public abstract class JwtAuthentication implements Authentication {}
+import java.lang.invoke.MethodHandles;
+import java.time.LocalDateTime;
+import java.util.AbstractMap;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Map.Entry;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public abstract class JwtAuthentication implements Authentication {
+  private static final Logger LOG = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+
+  private final JwtConfig jwtConfig;
+  private final Map<Product, JwtToken> tokens = new HashMap<>();
+
+  protected JwtAuthentication(JwtConfig jwtConfig) {
+    this.jwtConfig = jwtConfig;
+  }
+
+  public JwtConfig getJwtConfig() {
+    return jwtConfig;
+  }
+
+  @Override
+  public final void resetToken(Product product) {
+    tokens.remove(product);
+  }
+
+  @Override
+  public final Entry<String, String> getTokenHeader(Product product) {
+    if (!tokens.containsKey(product) || !isValid(tokens.get(product))) {
+      JwtToken newToken = generateToken(product, jwtConfig.getProduct(product));
+      tokens.put(product, newToken);
+    }
+    return authHeader(tokens.get(product).getToken());
+  }
+
+  protected abstract JwtToken generateToken(Product product, JwtCredential credential);
+
+  private Entry<String, String> authHeader(String token) {
+    return new AbstractMap.SimpleEntry<>("Authorization", "Bearer " + token);
+  }
+
+  private boolean isValid(JwtToken jwtToken) {
+    // a token is only counted valid if it is only valid for at least 30 seconds
+    return jwtToken.getExpiry().isAfter(LocalDateTime.now().minusSeconds(30));
+  }
+
+  protected static class JwtToken {
+    private final String token;
+    private final LocalDateTime expiry;
+
+    public JwtToken(String token, LocalDateTime expiry) {
+      this.token = token;
+      this.expiry = expiry;
+    }
+
+    public String getToken() {
+      return token;
+    }
+
+    public LocalDateTime getExpiry() {
+      return expiry;
+    }
+  }
+}

camunda-sdk-java/java-common/src/main/java/io/camunda/common/auth/JwtAuthenticationBuilder.java

@@ -0,0 +1,22 @@
+package io.camunda.common.auth;
+
+import io.camunda.common.auth.Authentication.AuthenticationBuilder;
+
+public abstract class JwtAuthenticationBuilder<T extends JwtAuthenticationBuilder<?>>
+    implements AuthenticationBuilder {
+  private JwtConfig jwtConfig;
+
+  public final T withJwtConfig(JwtConfig jwtConfig) {
+    this.jwtConfig = jwtConfig;
+    return self();
+  }
+
+  @Override
+  public final Authentication build() {
+    return build(jwtConfig);
+  }
+
+  protected abstract T self();
+
+  protected abstract Authentication build(JwtConfig jwtConfig);
+}

camunda-sdk-java/java-common/src/main/java/io/camunda/common/auth/JwtConfig.java

@@ -6,7 +6,7 @@
 /** Contains mapping between products and their JWT credentials */
 public class JwtConfig {
 
-  private Map<Product, JwtCredential> map;
+  private final Map<Product, JwtCredential> map;
 
   public JwtConfig() {
     map = new HashMap<>();

camunda-sdk-java/java-common/src/main/java/io/camunda/common/auth/SaaSAuthentication.java

@@ -1,11 +1,8 @@
 package io.camunda.common.auth;
 
 import io.camunda.common.json.JsonMapper;
-import io.camunda.common.json.SdkObjectMapper;
 import java.lang.invoke.MethodHandles;
-import java.util.AbstractMap;
-import java.util.HashMap;
-import java.util.Map;
+import java.time.LocalDateTime;
 import org.apache.hc.client5.http.classic.methods.HttpPost;
 import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
 import org.apache.hc.client5.http.impl.classic.HttpClients;
@@ -17,53 +14,29 @@
 public class SaaSAuthentication extends JwtAuthentication {
 
   private static final Logger LOG = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
-  private JwtConfig jwtConfig;
-  private Map<Product, String> tokens;
 
-  // TODO: have a single object mapper to be used all throughout the SDK, i.e.bean injection
-  private JsonMapper jsonMapper = new SdkObjectMapper();
+  private final JsonMapper jsonMapper;
 
-  public SaaSAuthentication() {
-    tokens = new HashMap<>();
+  public SaaSAuthentication(JwtConfig jwtConfig, JsonMapper jsonMapper) {
+    super(jwtConfig);
+    this.jsonMapper = jsonMapper;
   }
 
   public static SaaSAuthenticationBuilder builder() {
     return new SaaSAuthenticationBuilder();
   }
 
-  public JwtConfig getJwtConfig() {
-    return jwtConfig;
-  }
-
-  public void setJwtConfig(JwtConfig jwtConfig) {
-    this.jwtConfig = jwtConfig;
-  }
-
-  @Override
-  public Authentication build() {
-    return this;
-  }
-
-  @Override
-  public void resetToken(Product product) {
-    tokens.remove(product);
-  }
-
-  private String retrieveToken(Product product, JwtCredential jwtCredential) {
+  private TokenResponse retrieveToken(Product product, JwtCredential jwtCredential) {
     try (CloseableHttpClient client = HttpClients.createDefault()) {
       HttpPost request = buildRequest(jwtCredential);
-      TokenResponse tokenResponse =
-          client.execute(
-              request,
-              response ->
-                  jsonMapper.fromJson(
-                      EntityUtils.toString(response.getEntity()), TokenResponse.class));
-      tokens.put(product, tokenResponse.getAccessToken());
+      return client.execute(
+          request,
+          response ->
+              jsonMapper.fromJson(EntityUtils.toString(response.getEntity()), TokenResponse.class));
     } catch (Exception e) {
       LOG.error("Authenticating for " + product + " failed due to " + e);
       throw new RuntimeException("Unable to authenticate", e);
     }
-    return tokens.get(product);
   }
 
   private HttpPost buildRequest(JwtCredential jwtCredential) {
@@ -79,14 +52,10 @@ private HttpPost buildRequest(JwtCredential jwtCredential) {
   }
 
   @Override
-  public Map.Entry<String, String> getTokenHeader(Product product) {
-    String token;
-    if (tokens.containsKey(product)) {
-      token = tokens.get(product);
-    } else {
-      JwtCredential jwtCredential = jwtConfig.getProduct(product);
-      token = retrieveToken(product, jwtCredential);
-    }
-    return new AbstractMap.SimpleEntry<>("Authorization", "Bearer " + token);
+  protected JwtToken generateToken(Product product, JwtCredential credential) {
+    TokenResponse tokenResponse = retrieveToken(product, credential);
+    return new JwtToken(
+        tokenResponse.getAccessToken(),
+        LocalDateTime.now().plusSeconds(tokenResponse.getExpiresIn()));
   }
 }

camunda-sdk-java/java-common/src/main/java/io/camunda/common/auth/SaaSAuthenticationBuilder.java

@@ -1,19 +1,22 @@
 package io.camunda.common.auth;
 
-public class SaaSAuthenticationBuilder {
+import io.camunda.common.json.JsonMapper;
 
-  SaaSAuthentication saaSAuthentication;
+public class SaaSAuthenticationBuilder extends JwtAuthenticationBuilder<SaaSAuthenticationBuilder> {
+  private JsonMapper jsonMapper;
 
-  SaaSAuthenticationBuilder() {
-    saaSAuthentication = new SaaSAuthentication();
+  public SaaSAuthenticationBuilder withJsonMapper(JsonMapper jsonMapper) {
+    this.jsonMapper = jsonMapper;
+    return this;
   }
 
-  public SaaSAuthenticationBuilder jwtConfig(JwtConfig jwtConfig) {
-    saaSAuthentication.setJwtConfig(jwtConfig);
+  @Override
+  protected SaaSAuthenticationBuilder self() {
     return this;
   }
 
-  public Authentication build() {
-    return saaSAuthentication.build();
+  @Override
+  protected SaaSAuthentication build(JwtConfig jwtConfig) {
+    return new SaaSAuthentication(jwtConfig, jsonMapper);
   }
 }

camunda-sdk-java/java-common/src/main/java/io/camunda/common/auth/SelfManagedAuthentication.java

@@ -4,69 +4,34 @@
 import io.camunda.identity.sdk.Identity;
 import io.camunda.identity.sdk.authentication.Tokens;
 import java.lang.invoke.MethodHandles;
-import java.util.AbstractMap;
-import java.util.HashMap;
-import java.util.Map;
+import java.time.LocalDateTime;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 public class SelfManagedAuthentication extends JwtAuthentication {
 
   private static final Logger LOG = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
-  private JwtConfig jwtConfig;
-  private IdentityConfig identityConfig;
-  private Map<Product, String> tokens;
+  private final IdentityConfig identityConfig;
 
-  public SelfManagedAuthentication() {
-    tokens = new HashMap<>();
+  public SelfManagedAuthentication(JwtConfig jwtConfig, IdentityConfig identityConfig) {
+    super(jwtConfig);
+    this.identityConfig = identityConfig;
   }
 
   public static SelfManagedAuthenticationBuilder builder() {
     return new SelfManagedAuthenticationBuilder();
   }
 
-  public JwtConfig getJwtConfig() {
-    return jwtConfig;
-  }
-
-  public void setJwtConfig(JwtConfig jwtConfig) {
-    this.jwtConfig = jwtConfig;
-  }
-
-  public void setIdentityConfig(IdentityConfig identityConfig) {
-    this.identityConfig = identityConfig;
-  }
-
   @Override
-  public Authentication build() {
-    return this;
+  protected JwtToken generateToken(Product product, JwtCredential credential) {
+    Tokens token = getIdentityToken(product, credential);
+    return new JwtToken(
+        token.getAccessToken(), LocalDateTime.now().plusSeconds(token.getExpiresIn()));
   }
 
-  @Override
-  public void resetToken(Product product) {
-    tokens.remove(product);
-  }
-
-  @Override
-  public Map.Entry<String, String> getTokenHeader(Product product) {
-    String token;
-    if (tokens.containsKey(product)) {
-      token = tokens.get(product);
-    } else {
-      token = getIdentityToken(product);
-      saveToken(product, token);
-    }
-    return new AbstractMap.SimpleEntry<>("Authorization", "Bearer " + token);
-  }
-
-  private String getIdentityToken(Product product) {
+  private Tokens getIdentityToken(Product product, JwtCredential credential) {
     Identity identity = identityConfig.get(product).getIdentity();
-    String audience = jwtConfig.getProduct(product).getAudience();
-    Tokens identityTokens = identity.authentication().requestToken(audience);
-    return identityTokens.getAccessToken();
-  }
-
-  private void saveToken(Product product, String token) {
-    tokens.put(product, token);
+    String audience = credential.getAudience();
+    return identity.authentication().requestToken(audience);
   }
 }

camunda-sdk-java/java-common/src/main/java/io/camunda/common/auth/SelfManagedAuthenticationBuilder.java

@@ -2,25 +2,22 @@
 
 import io.camunda.common.auth.identity.IdentityConfig;
 
-public class SelfManagedAuthenticationBuilder {
+public class SelfManagedAuthenticationBuilder
+    extends JwtAuthenticationBuilder<SelfManagedAuthenticationBuilder> {
+  private IdentityConfig identityConfig;
 
-  SelfManagedAuthentication selfManagedAuthentication;
-
-  SelfManagedAuthenticationBuilder() {
-    selfManagedAuthentication = new SelfManagedAuthentication();
-  }
-
-  public SelfManagedAuthenticationBuilder jwtConfig(JwtConfig jwtConfig) {
-    selfManagedAuthentication.setJwtConfig(jwtConfig);
+  public SelfManagedAuthenticationBuilder withIdentityConfig(IdentityConfig identityConfig) {
+    this.identityConfig = identityConfig;
     return this;
   }
 
-  public SelfManagedAuthenticationBuilder identityConfig(IdentityConfig identityConfig) {
-    selfManagedAuthentication.setIdentityConfig(identityConfig);
+  @Override
+  protected SelfManagedAuthenticationBuilder self() {
     return this;
   }
 
-  public Authentication build() {
-    return selfManagedAuthentication.build();
+  @Override
+  protected Authentication build(JwtConfig jwtConfig) {
+    return new SelfManagedAuthentication(jwtConfig, identityConfig);
   }
 }