Refactors the App Engine Jetty runtime by extracting several nested classes from AppEngineAuthentication.java.

PiperOrigin-RevId: 874366115
Change-Id: I29ad2e55d9a14e3b5250ab58a910bf1010d952af

Author: ludoch

shared_sdk_jetty12/src/main/java/com/google/apphosting/runtime/jetty/AppEngineAuthentication.java

@@ -22,20 +22,16 @@
 import com.google.apphosting.api.ApiProxy;
 import com.google.common.flogger.GoogleLogger;
 import java.io.IOException;
-import java.security.Principal;
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.function.Function;
-import javax.security.auth.Subject;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 import org.eclipse.jetty.ee8.nested.Authentication;
-import org.eclipse.jetty.ee8.security.Authenticator;
 import org.eclipse.jetty.ee8.security.ConstraintSecurityHandler;
-import org.eclipse.jetty.ee8.security.SecurityHandler;
 import org.eclipse.jetty.ee8.security.ServerAuthException;
 import org.eclipse.jetty.ee8.security.UserAuthentication;
 import org.eclipse.jetty.ee8.security.authentication.DeferredAuthentication;
@@ -77,9 +73,10 @@ public class AppEngineAuthentication {
    * Any authenticated user is a member of the {@code "*"} role, and any administrators are members
    * of the {@code "admin"} role. Any other roles will be logged and ignored.
    */
-  private static final String USER_ROLE = "*";
 
-  private static final String ADMIN_ROLE = "admin";
+  static final String USER_ROLE = "*";
+
+  static final String ADMIN_ROLE = "admin";
 
   /**
    * Inject custom {@link LoginService} and {@link Authenticator} implementations into the specified
@@ -245,170 +242,5 @@ private static String getFullURL(HttpServletRequest request) {
     return buffer.toString();
   }
 
-  /**
-   * {@code AppEngineLoginService} is a custom Jetty {@link LoginService} that is aware of the two
-   * special role names implemented by Google App Engine. Any authenticated user is a member of the
-   * {@code "*"} role, and any administrators are members of the {@code "admin"} role. Any other
-   * roles will be logged and ignored.
-   */
-  private static class AppEngineLoginService implements LoginService {
-    private IdentityService identityService;
-
-    /**
-     * @return Get the name of the login service (aka Realm name)
-     */
-    @Override
-    public String getName() {
-      return REALM_NAME;
-    }
-
-    @Override
-    public UserIdentity login(
-        String s, Object o, Request request, Function<Boolean, Session> function) {
-      return loadUser();
-    }
-
-    /**
-     * Creates a new AppEngineUserIdentity based on information retrieved from the Users API.
-     *
-     * @return A AppEngineUserIdentity if a user is logged in, or null otherwise.
-     */
-    private AppEngineUserIdentity loadUser() {
-      UserService userService = UserServiceFactory.getUserService();
-      User engineUser = userService.getCurrentUser();
-      if (engineUser == null) {
-        return null;
-      }
-      return new AppEngineUserIdentity(new AppEnginePrincipal(engineUser));
-    }
-
-    @Override
-    public IdentityService getIdentityService() {
-      return identityService;
-    }
-
-    @Override
-    public void logout(UserIdentity user) {
-      // Jetty calls this on every request -- even if user is null!
-      if (user != null) {
-        logger.atFine().log("Ignoring logout call for: %s", user);
-      }
-    }
-
-    @Override
-    public void setIdentityService(IdentityService identityService) {
-      this.identityService = identityService;
-    }
-
-    @Override
-    public boolean validate(UserIdentity user) {
-      logger.atInfo().log("validate(%s) throwing UnsupportedOperationException.", user);
-      throw new UnsupportedOperationException();
-    }
-  }
-
-  /**
-   * {@code AppEnginePrincipal} is an implementation of {@link Principal} that represents a
-   * logged-in Google App Engine user.
-   */
-  public static class AppEnginePrincipal implements Principal {
-    private final User user;
-
-    public AppEnginePrincipal(User user) {
-      this.user = user;
-    }
-
-    public User getUser() {
-      return user;
-    }
-
-    @Override
-    public String getName() {
-      if ((user.getFederatedIdentity() != null) && (!user.getFederatedIdentity().isEmpty())) {
-        return user.getFederatedIdentity();
-      }
-      return user.getEmail();
-    }
-
-    @Override
-    public boolean equals(Object other) {
-      if (other instanceof AppEnginePrincipal) {
-        return user.equals(((AppEnginePrincipal) other).user);
-      } else {
-        return false;
-      }
-    }
-
-    @Override
-    public String toString() {
-      return user.toString();
-    }
-
-    @Override
-    public int hashCode() {
-      return user.hashCode();
-    }
-  }
-
-  /**
-   * {@code AppEngineUserIdentity} is an implementation of {@link UserIdentity} that represents a
-   * logged-in Google App Engine user.
-   */
-  public static class AppEngineUserIdentity implements UserIdentity {
-
-    private final AppEnginePrincipal userPrincipal;
-
-    public AppEngineUserIdentity(AppEnginePrincipal userPrincipal) {
-      this.userPrincipal = userPrincipal;
-    }
-
-    /*
-     * Only used by jaas and jaspi.
-     */
-    @Override
-    public Subject getSubject() {
-      logger.atInfo().log("getSubject() throwing UnsupportedOperationException.");
-      throw new UnsupportedOperationException();
-    }
-
-    @Override
-    public Principal getUserPrincipal() {
-      return userPrincipal;
-    }
-
-    @Override
-    public boolean isUserInRole(String role) {
-      UserService userService = UserServiceFactory.getUserService();
-      logger.atFine().log("Checking if principal %s is in role %s", userPrincipal, role);
-      if (userPrincipal == null) {
-        logger.atInfo().log("isUserInRole() called with null principal.");
-        return false;
-      }
-
-      if (USER_ROLE.equals(role)) {
-        return true;
-      }
-
-      if (ADMIN_ROLE.equals(role)) {
-        User user = userPrincipal.getUser();
-        if (user.equals(userService.getCurrentUser())) {
-          return userService.isUserAdmin();
-        } else {
-          // TODO: I'm not sure this will happen in
-          //   practice. If it does, we may need to pass an
-          //   application's admin list down somehow.
-          logger.atSevere().log("Cannot tell if non-logged-in user %s is an admin.", user);
-          return false;
-        }
-      } else {
-        logger.atWarning().log("Unknown role: %s.", role);
-        return false;
-      }
-    }
-
-    @Override
-    public String toString() {
-      return AppEngineUserIdentity.class.getSimpleName() + "('" + userPrincipal + "')";
-    }
-  }
+  private AppEngineAuthentication() {}
 }

shared_sdk_jetty12/src/main/java/com/google/apphosting/runtime/jetty/AppEngineLoginService.java

@@ -0,0 +1,94 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.google.apphosting.runtime.jetty;
+
+import com.google.appengine.api.users.User;
+import com.google.appengine.api.users.UserService;
+import com.google.appengine.api.users.UserServiceFactory;
+import com.google.common.flogger.GoogleLogger;
+import java.util.function.Function;
+import org.eclipse.jetty.security.IdentityService;
+import org.eclipse.jetty.security.LoginService;
+import org.eclipse.jetty.security.UserIdentity;
+import org.eclipse.jetty.server.Request;
+import org.eclipse.jetty.server.Session;
+
+/**
+ * {@code AppEngineLoginService} is a custom Jetty {@link LoginService} that is aware of the two
+ * special role names implemented by Google App Engine. Any authenticated user is a member of the
+ * {@code "*"} role, and any administrators are members of the {@code "admin"} role. Any other
+ * roles will be logged and ignored.
+ */
+public class AppEngineLoginService implements LoginService {
+  private static final GoogleLogger logger = GoogleLogger.forEnclosingClass();
+
+  private static final String REALM_NAME = "Google App Engine";
+
+  private IdentityService identityService;
+
+  /**
+   * @return Get the name of the login service (aka Realm name)
+   */
+  @Override
+  public String getName() {
+    return REALM_NAME;
+  }
+
+  @Override
+  public UserIdentity login(
+      String s, Object o, Request request, Function<Boolean, Session> function) {
+    return loadUser();
+  }
+
+  /**
+   * Creates a new AppEngineUserIdentity based on information retrieved from the Users API.
+   *
+   * @return A AppEngineUserIdentity if a user is logged in, or null otherwise.
+   */
+  private AppEngineUserIdentity loadUser() {
+    UserService userService = UserServiceFactory.getUserService();
+    User engineUser = userService.getCurrentUser();
+    if (engineUser == null) {
+      return null;
+    }
+    return new AppEngineUserIdentity(new AppEnginePrincipal(engineUser));
+  }
+
+  @Override
+  public IdentityService getIdentityService() {
+    return identityService;
+  }
+
+  @Override
+  public void logout(UserIdentity user) {
+    // Jetty calls this on every request -- even if user is null!
+    if (user != null) {
+      logger.atFine().log("Ignoring logout call for: %s", user);
+    }
+  }
+
+  @Override
+  public void setIdentityService(IdentityService identityService) {
+    this.identityService = identityService;
+  }
+
+  @Override
+  public boolean validate(UserIdentity user) {
+    logger.atInfo().log("validate(%s) throwing UnsupportedOperationException.", user);
+    throw new UnsupportedOperationException();
+  }
+}

shared_sdk_jetty12/src/main/java/com/google/apphosting/runtime/jetty/AppEnginePrincipal.java

@@ -0,0 +1,63 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.google.apphosting.runtime.jetty;
+
+import com.google.appengine.api.users.User;
+import java.security.Principal;
+
+/**
+ * {@code AppEnginePrincipal} is an implementation of {@link Principal} that represents a logged-in
+ * Google App Engine user.
+ */
+public final class AppEnginePrincipal implements Principal {
+  private final User user;
+
+  AppEnginePrincipal(User user) {
+    this.user = user;
+  }
+
+  public User getUser() {
+    return user;
+  }
+
+  @Override
+  public String getName() {
+    if ((user.getFederatedIdentity() != null) && !user.getFederatedIdentity().isEmpty()) {
+      return user.getFederatedIdentity();
+    }
+    return user.getEmail();
+  }
+
+  @Override
+  public boolean equals(Object other) {
+    if (other instanceof AppEnginePrincipal appEnginePrincipal) {
+      return user.equals(appEnginePrincipal.user);
+    } else {
+      return false;
+    }
+  }
+
+  @Override
+  public String toString() {
+    return user.toString();
+  }
+
+  @Override
+  public int hashCode() {
+    return user.hashCode();
+  }
+}