Commit 6ceff243 authored by Matija Obreza's avatar Matija Obreza

OAuth upgrades

parent b214fa7b
......@@ -51,7 +51,7 @@
<hsqldb.version>2.3.1</hsqldb.version>
<ehcache.version>2.7.4</ehcache.version>
<slf4j.version>1.7.5</slf4j.version>
<slf4j.version>1.7.7</slf4j.version>
<log4j.version>1.2.17</log4j.version>
<aspectj.version>1.7.2</aspectj.version>
......@@ -499,7 +499,12 @@
<version>${jetty.version}</version>
<scope>runtime</scope>
</dependency>
</dependencies>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>${slf4j.version}</version>
</dependency>
</dependencies>
<build>
<plugins>
......
/**
* Copyright 2014 Global Crop Diversity Trust
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
**/
package org.genesys2.server.listener.sample;
import org.genesys2.server.model.oauth.OAuthClientDetails;
import org.genesys2.server.service.OAuth2ClientDetailsService;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
@Component
public class CreateClientDetailsListener implements InitializingBean {
@Autowired
private OAuth2ClientDetailsService clientDetailsService;
public static final String DEFAULT_CLIENT_DETAILS_ID = "CropHub";
@Override
public void afterPropertiesSet() throws Exception {
if (!clientDetailsService.exists(DEFAULT_CLIENT_DETAILS_ID)) {
createClientDetails();
}
}
private void createClientDetails() {
final OAuthClientDetails clientDetails = new OAuthClientDetails();
clientDetails.setClientId(DEFAULT_CLIENT_DETAILS_ID);
clientDetails.setClientSecret("0xcafebabe");
clientDetails.setScope("read,write");
clientDetails.setAuthorizedGrantTypes("authorization_code,refresh_token");
// 50 days
clientDetails.setRefreshTokenValiditySeconds(50 * 24 * 60 * 60);
// 7 days
clientDetails.setAccessTokenValiditySeconds(7 * 24 * 60 * 60);
clientDetails.setAuthorities("USER");
clientDetailsService.addClientDetails(clientDetails);
}
}
......@@ -29,46 +29,54 @@ import java.util.Set;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.Id;
import javax.persistence.Lob;
import javax.persistence.Table;
import javax.persistence.Transient;
import org.apache.commons.lang.StringUtils;
import org.genesys2.server.model.AclAwareModel;
import org.genesys2.server.model.VersionedAuditedModel;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.util.StringUtils;
@Entity
@Table(name = "oauth_client_details")
public class OAuthClientDetails implements ClientDetails {
@Table(name = "oauthclient")
public class OAuthClientDetails extends VersionedAuditedModel implements ClientDetails, AclAwareModel {
private static final long serialVersionUID = 5328458631619687041L;
@Id
@Column(name = "client_id", unique = true, nullable = false)
@Column(length = 200)
private String title;
@Lob
@Column
private String description;
@Column(unique = true, nullable = false)
private String clientId;
@Column(name = "client_secret")
@Column(length = 100)
private String clientSecret;
@Column(name = "resource_ids")
@Column(length = 400)
private String resourceIds;
@Column(name = "scope")
@Column(length = 400)
private String scope;
@Column(name = "authorities")
@Column(length = 400)
private String authorities;
@Column(name = "authorized_grant_types")
@Column(length = 400)
private String authorizedGrantTypes;
@Column(name = "web_server_redirect_uri")
private String registeredRedirectUri;
@Column(length = 400)
private String redirectUris;
@Column(name = "access_token_validity")
@Column
private Integer accessTokenValiditySeconds;
@Column(name = "refresh_token_validity")
@Column
private Integer refreshTokenValiditySeconds;
@Column(name = "additional_information")
......@@ -89,34 +97,26 @@ public class OAuthClientDetails implements ClientDetails {
this.clientId = clientId;
if (StringUtils.hasText(resourceIds)) {
// Set<String> resources =
// StringUtils.commaDelimitedListToSet(resourceIds);
if (!resourceIds.isEmpty()) {
this.resourceIds = resourceIds;
}
if (StringUtils.isNotBlank(resourceIds)) {
this.resourceIds = resourceIds;
}
if (StringUtils.hasText(scopes)) {
// Set<String> scopeList =
// StringUtils.commaDelimitedListToSet(scopes);
if (!scopes.isEmpty()) {
this.scope = scopes;
}
if (StringUtils.isNotBlank(scopes)) {
this.scope = scopes;
}
if (StringUtils.hasText(grantTypes)) {
if (StringUtils.isNotBlank(grantTypes)) {
this.authorizedGrantTypes = grantTypes;
} else {
this.authorizedGrantTypes = "authorization_code, refresh_token";
this.authorizedGrantTypes = "authorization_code,refresh_token";
}
if (StringUtils.hasText(authorities)) {
if (StringUtils.isNotBlank(authorities)) {
this.authorities = authorities;
}
if (StringUtils.hasText(redirectUris)) {
this.registeredRedirectUri = redirectUris;
if (StringUtils.isNotBlank(redirectUris)) {
this.redirectUris = redirectUris;
}
}
......@@ -226,8 +226,8 @@ public class OAuthClientDetails implements ClientDetails {
@Override
public Set<String> getRegisteredRedirectUri() {
if (registeredRedirectUri != null && !registeredRedirectUri.isEmpty()) {
final String[] split = registeredRedirectUri.split(",");
if (redirectUris != null && !redirectUris.isEmpty()) {
final String[] split = redirectUris.split(",");
final List<String> strings = Arrays.asList(split);
return new LinkedHashSet<String>(strings);
} else {
......@@ -235,13 +235,17 @@ public class OAuthClientDetails implements ClientDetails {
}
}
public void setRegisteredRedirectUri(String registeredRedirectUris) {
this.registeredRedirectUri = registeredRedirectUris;
public void setRedirectUris(String redirectUris) {
this.redirectUris = redirectUris;
}
public String getRedirectUris() {
return redirectUris;
}
@Override
public Map<String, Object> getAdditionalInformation() {
if (additionalInformation != null && !additionalInformation.isEmpty()) {
if (StringUtils.isNotBlank(additionalInformation)) {
final Map<String, Object> myMap = new HashMap<String, Object>();
final String[] pairs = additionalInformation.split(",");
for (final String pair : pairs) {
......@@ -270,4 +274,20 @@ public class OAuthClientDetails implements ClientDetails {
public boolean isScoped() {
return this.scope != null && !this.scope.isEmpty();
}
public String getTitle() {
return title;
}
public void setTitle(String title) {
this.title = title;
}
public String getDescription() {
return description;
}
public void setDescription(String description) {
this.description = description;
}
}
......@@ -24,6 +24,7 @@ import org.genesys2.server.model.genesys.AccessionAlias;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.data.jpa.repository.Modifying;
import org.springframework.data.jpa.repository.Query;
import org.springframework.data.repository.query.Param;
public interface AccessionAliasRepository extends JpaRepository<AccessionAlias, Long> {
......@@ -32,6 +33,6 @@ public interface AccessionAliasRepository extends JpaRepository<AccessionAlias,
List<AccessionAlias> findByAccessionAndAliasType(Accession accession, int aliasType);
@Modifying
@Query("delete from AccessionAlias aa where aa.accession in (from Accession a where a.id in ( ?1 ))")
void deleteForAccessions(Collection<Long> accessionIds);
@Query("delete from AccessionAlias aa where aa.accession in (from Accession a where a.id in ( :ids ))")
void deleteForAccessions(@Param("ids") Collection<Long> accessionIds);
}
......@@ -28,7 +28,7 @@ import org.springframework.data.repository.query.Param;
import org.springframework.transaction.annotation.Transactional;
@Transactional
public interface OAuthAccessTokenPersistence extends JpaRepository<OAuthAccessToken, String> {
public interface OAuthAccessTokenPersistence extends JpaRepository<OAuthAccessToken, Long> {
Collection<OAuthAccessToken> findByClientId(String clientId);
......@@ -40,15 +40,25 @@ public interface OAuthAccessTokenPersistence extends JpaRepository<OAuthAccessTo
@Modifying
void deleteByIds(@Param("ids") List<Long> ids);
@Query("delete from OAuthAccessToken where refreshToken = ?1")
@Query("delete from OAuthAccessToken where refreshToken = :value")
@Modifying
void deleteByRefreshToken(String value);
@Query("select id from OAuthAccessToken where expiration < ?1")
List<Long> getIdsExpiredBefore(Date date);
void deleteByRefreshToken(@Param("value") String value);
@Query("select refreshToken from OAuthAccessToken where value in (:ids)")
List<String> getRefreshTokensByIds(@Param("ids") List<Long> ids);
OAuthAccessToken findByValue(String value);
@Query("delete from OAuthAccessToken where value = :value")
@Modifying
void deleteByValue(@Param("value") String value);
@Query("delete from OAuthAccessToken where clientId = ?")
@Modifying
void deleteByClientId(String clientId);
@Modifying
@Query("delete from OAuthAccessToken where expiration < ?")
int deleteOlderThan(Date date);
}
......@@ -18,9 +18,12 @@ package org.genesys2.server.persistence.domain;
import org.genesys2.server.model.oauth.OAuthClientDetails;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.transaction.annotation.Transactional;
@Transactional
public interface OAuthClientDetailsPersistence extends JpaRepository<OAuthClientDetails, String> {
public interface OAuthClientDetailsPersistence extends JpaRepository<OAuthClientDetails, Long> {
ClientDetails findByClientId(String clientId);
}
......@@ -30,7 +30,7 @@ public interface OAuthCodePersistence extends JpaRepository<OAuthCode, Long> {
OAuthCode findByCode(String code);
@Modifying
@Query("delete from OAuthCode code where code.createdDate < ?1")
@Query("delete from OAuthCode where createdDate < ?")
int deleteOlderThan(Date date);
}
......@@ -16,6 +16,8 @@
package org.genesys2.server.persistence.domain;
import java.util.Collection;
import java.util.Date;
import java.util.List;
import org.genesys2.server.model.oauth.OAuthRefreshToken;
......@@ -26,12 +28,26 @@ import org.springframework.data.repository.query.Param;
import org.springframework.transaction.annotation.Transactional;
@Transactional
public interface OAuthRefreshTokenPersistence extends JpaRepository<OAuthRefreshToken, String> {
public interface OAuthRefreshTokenPersistence extends JpaRepository<OAuthRefreshToken, Long> {
@Query("delete from OAuthRefreshToken where tokenId in (:ids)")
@Query("delete from OAuthRefreshToken where value in (:values)")
@Modifying
void deleteByTokenIds(@Param("ids") List<String> tokenIds);
void deleteByTokenValues(@Param("values") List<String> values);
OAuthRefreshToken findByValue(String value);
@Query("delete from OAuthRefreshToken where value = ?")
@Modifying
void deleteByValue(String value);
Collection<OAuthRefreshToken> findByClientId(String clientId);
@Query("delete from OAuthRefreshToken where clientId = ?")
@Modifying
void deleteByClientId(String clientId);
@Modifying
@Query("delete from OAuthRefreshToken where expiration < ?")
int deleteOlderThan(Date date);
}
......@@ -16,10 +16,17 @@
package org.genesys2.server.service;
import java.util.Collection;
import org.genesys2.server.model.oauth.OAuthRefreshToken;
import org.springframework.security.oauth2.provider.token.TokenStore;
public interface JPATokenStore extends TokenStore {
void removeAccessToken(String tokenId);
void removeAccessToken(long tokenId);
Collection<OAuthRefreshToken> findRefreshTokensByClientId(String clientId);
void removeRefreshToken(long tokenId);
}
package org.genesys2.server.service;
public interface JPATokenStoreCleanup {
public void removeExpired();
}
......@@ -17,16 +17,35 @@
package org.genesys2.server.service;
import java.util.Collection;
import java.util.List;
import org.genesys2.server.model.oauth.OAuthAccessToken;
import org.genesys2.server.model.oauth.OAuthClientDetails;
import org.genesys2.server.model.oauth.OAuthClientType;
import org.genesys2.server.model.oauth.OAuthRefreshToken;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.ClientRegistrationService;
public interface OAuth2ClientDetailsService extends ClientDetailsService, ClientRegistrationService {
boolean exists(String clientId);
public interface OAuth2ClientDetailsService extends ClientDetailsService {
Collection<OAuthAccessToken> findTokensByClientId(String clientId);
Collection<OAuthRefreshToken> findRefreshTokensClientId(String clientId);
Collection<OAuthAccessToken> findTokensByUserUuid(String uuid);
OAuthClientDetails addClientDetails(String title, String description, String redirectUri, Integer accessTokenValiditySeconds, Integer refreshTokenValiditySeconds, OAuthClientType clientType);
OAuthClientDetails update(OAuthClientDetails clientDetails, String title, String description, String registeredRedirectUris, Integer accessTokenValiditySeconds, Integer refreshTokenValiditySeconds);
List<OAuthClientDetails> listClientDetails();
/**
* Returns client details if user has permission to manage
*
* @param clientId
* @return
*/
OAuthClientDetails getClientDetails(long clientId);
void removeClient(OAuthClientDetails clientDetails);
}
......@@ -65,10 +65,12 @@ public class OAuth2AuthorizationCodeServiceImpl implements OAuth2AuthorizationCo
@Override
@Scheduled(fixedDelay = 600000)
public void removeExpired() {
System.err.println("SCHEDULED TASK EXECUTED 2");
final Date olderThan = new Date(new Date().getTime() - 600000);
LOG.info("Removing OAuth verification codes from before: " + olderThan);
LOG.debug("Removing OAuth verification codes from before: " + olderThan);
final int count = oauthCodeRepository.deleteOlderThan(olderThan);
LOG.info("Removed expired OAuth verification codes: " + count);
if (count > 0)
LOG.info("Removed expired OAuth verification codes: " + count);
}
@Override
......@@ -160,11 +162,11 @@ public class OAuth2AuthorizationCodeServiceImpl implements OAuth2AuthorizationCo
final OAuthCode oauthCode = oauthCodeRepository.findByCode(code);
if (oauthCode != null) {
oauthCodeRepository.delete(oauthCode);
@SuppressWarnings("unchecked")
DefaultAuthorizationRequest authorizationRequest = new DefaultAuthorizationRequest(oauthCode.getClientId(), mapper.readValue(oauthCode.getScopes(),
HashSet.class));
authorizationRequest.setRedirectUri(oauthCode.getRedirectUri());
authorizationRequest.setApproved(true);
......
......@@ -16,25 +16,27 @@
package org.genesys2.server.service.impl;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import org.apache.commons.lang.RandomStringUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.genesys2.server.model.oauth.OAuthAccessToken;
import org.genesys2.server.model.oauth.OAuthClientDetails;
import org.genesys2.server.model.oauth.OAuthClientType;
import org.genesys2.server.model.oauth.OAuthRefreshToken;
import org.genesys2.server.persistence.domain.OAuthAccessTokenPersistence;
import org.genesys2.server.persistence.domain.OAuthClientDetailsPersistence;
import org.genesys2.server.persistence.domain.OAuthRefreshTokenPersistence;
import org.genesys2.server.service.OAuth2ClientDetailsService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.dao.DuplicateKeyException;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.dao.EmptyResultDataAccessException;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.access.prepost.PostAuthorize;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
import org.springframework.security.oauth2.provider.ClientAlreadyExistsException;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.NoSuchClientException;
import org.springframework.stereotype.Service;
......@@ -51,17 +53,13 @@ public class OAuth2ClientDetailsServiceImpl implements OAuth2ClientDetailsServic
@Autowired
private OAuthAccessTokenPersistence accessTokenPersistence;
private PasswordEncoder passwordEncoder = NoOpPasswordEncoder.getInstance();
@Value("${base.host}")
private String hostname;
public OAuth2ClientDetailsServiceImpl() {
}
@Autowired
private OAuthRefreshTokenPersistence refreshTokenPersistence;
/**
* @param passwordEncoder
* the password encoder to set
*/
public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
this.passwordEncoder = passwordEncoder;
public OAuth2ClientDetailsServiceImpl() {
}
@Override
......@@ -69,73 +67,95 @@ public class OAuth2ClientDetailsServiceImpl implements OAuth2ClientDetailsServic
return accessTokenPersistence.findByClientId(clientId);
}
@Override
public Collection<OAuthRefreshToken> findRefreshTokensClientId(String clientId) {
return refreshTokenPersistence.findByClientId(clientId);
}
@Override
public Collection<OAuthAccessToken> findTokensByUserUuid(String uuid) {
return accessTokenPersistence.findByUserUuid(uuid);
}
@Override
@PostAuthorize("hasRole('ADMINISTRATOR') or hasPermission(returnObject, 'READ')")
public OAuthClientDetails getClientDetails(long clientId) {
return clientDetailsPersistence.findOne(clientId);
}
@Override
public ClientDetails loadClientByClientId(String clientId) throws InvalidClientException {
logger.info("loadClientByClientId: " + clientId);
if (logger.isDebugEnabled())
logger.debug("loadClientByClientId: " + clientId);
ClientDetails details;
try {
if (StringUtils.isBlank(clientId))
if (StringUtils.isBlank(clientId))
throw new NoSuchClientException("Blank client_id provided");
details = clientDetailsPersistence.findOne(clientId);
details = clientDetailsPersistence.findByClientId(clientId);
} catch (final EmptyResultDataAccessException e) {
throw new NoSuchClientException("No client with requested id: " + clientId);
}
if (details == null)
throw new NoSuchClientException("No such client: " + clientId);
return details;
}
@PreAuthorize("hasAnyRole('VETTEDUSER','ADMINISTRATOR')")
@Override
public void addClientDetails(ClientDetails clientDetails) throws ClientAlreadyExistsException {
try {
clientDetailsPersistence.save((OAuthClientDetails) clientDetails);
} catch (final DuplicateKeyException e) {
throw new ClientAlreadyExistsException("Client already exists: " + clientDetails.getClientId(), e);
}
public OAuthClientDetails addClientDetails(String title, String description, String redirectUri, Integer accessTokenValiditySeconds,
Integer refreshTokenValiditySeconds, OAuthClientType clientType) {
String clientId = RandomStringUtils.randomAlphanumeric(5) + "." + RandomStringUtils.randomAlphanumeric(20) + "@" + hostname;
String clientSecret = RandomStringUtils.randomAlphanumeric(32);
final OAuthClientDetails clientDetails = new OAuthClientDetails();
clientDetails.setTitle(title);
clientDetails.setDescription(StringUtils.defaultIfBlank(description, null));
clientDetails.setClientId(clientId);
clientDetails.setClientSecret(StringUtils.defaultIfBlank(clientSecret, null));
clientDetails.setAccessTokenValiditySeconds(accessTokenValiditySeconds);
clientDetails.setRefreshTokenValiditySeconds(refreshTokenValiditySeconds);
clientDetails.setRedirectUris(StringUtils.defaultIfBlank(redirectUri, null));
// clientDetails.setClientType(clientType);
clientDetails.setScope("read,write");
clientDetails.setAuthorizedGrantTypes("authorization_code,refresh_token");
clientDetails.setAuthorities("USER");
return clientDetailsPersistence.save(clientDetails);
}
@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#clientDetails, 'WRITE')")
@Override
public void updateClientDetails(ClientDetails clientDetails) throws NoSuchClientException {
if (clientDetailsPersistence.exists(clientDetails.getClientId())) {
clientDetailsPersistence.save((OAuthClientDetails) clientDetails);
} else {
throw new NoSuchClientException("No client found with id = " + clientDetails.getClientId());
}
public OAuthClientDetails update(OAuthClientDetails clientDetails, String title, String description, String redirectUris,
Integer accessTokenValiditySeconds, Integer refreshTokenValiditySeconds) {
clientDetails.setTitle(title);