This is an automated email from the ASF dual-hosted git repository.
buhhunyx pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
The following commit(s) were added to refs/heads/master by this push:
new 62ed364 cleanup after CXF upgrade
62ed364 is described below
commit 62ed3645b0d6468379cc1c754a05a057f39a858d
Author: Alexey Markevich <[email protected]>
AuthorDate: Fri Feb 14 16:00:09 2020 +0300
cleanup after CXF upgrade
---
.../fediz/service/oidc/FedizOidcKeysService.java | 165 ---------------------
.../fediz/service/oidc/OAuthDataProviderImpl.java | 99 -------------
.../src/main/webapp/WEB-INF/applicationContext.xml | 2 +-
.../src/test/resources/oidc/applicationContext.xml | 4 +-
.../resources/oidc/spring/applicationContext.xml | 4 +-
.../cxf/fediz/systests/common/AbstractTests.java | 4 -
6 files changed, 5 insertions(+), 273 deletions(-)
diff --git
a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizOidcKeysService.java
b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizOidcKeysService.java
deleted file mode 100644
index 65468e5..0000000
---
a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizOidcKeysService.java
+++ /dev/null
@@ -1,165 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.oidc;
-
-import java.security.PublicKey;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Properties;
-
-import javax.ws.rs.GET;
-import javax.ws.rs.Path;
-import javax.ws.rs.Produces;
-
-import org.apache.cxf.common.util.PropertyUtils;
-import org.apache.cxf.jaxrs.client.WebClient;
-import org.apache.cxf.jaxrs.utils.JAXRSUtils;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.rs.security.jose.common.JoseConstants;
-import org.apache.cxf.rs.security.jose.common.JoseException;
-import org.apache.cxf.rs.security.jose.common.KeyManagementUtils;
-import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
-import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
-import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
-import org.apache.cxf.rs.security.jose.jwk.KeyOperation;
-import org.apache.cxf.rs.security.jose.jwk.KeyType;
-import org.apache.cxf.rs.security.jose.jwk.PublicKeyUse;
-import org.apache.cxf.rs.security.jose.jws.JwsUtils;
-
-/**
- * TODO Remove this once we pick up CXF 3.3.5
- */
-@Path("keys")
-public class FedizOidcKeysService {
-
- private volatile JsonWebKeys keySet;
- private WebClient keyServiceClient;
- private boolean stripPrivateParameters = true;
-
- @GET
- @Produces("application/json")
- public JsonWebKeys getPublicVerificationKeys() {
- if (keySet == null) {
- if (keyServiceClient == null) {
- keySet = getFromLocalStore(stripPrivateParameters);
- } else {
- keySet = keyServiceClient.get(JsonWebKeys.class);
- }
-
- }
- return keySet;
- }
-
- private static JsonWebKeys getFromLocalStore(boolean
stripPrivateParameters) {
- Properties props = JwsUtils.loadSignatureInProperties(true);
- return loadPublicVerificationKeys(JAXRSUtils.getCurrentMessage(),
props, stripPrivateParameters);
- }
-
- public void setKeyServiceClient(WebClient keyServiceClient) {
- this.keyServiceClient = keyServiceClient;
- }
-
- public boolean isStripPrivateParameters() {
- return stripPrivateParameters;
- }
-
- /**
- * Whether to strip private parameters from the keys that are returned.
The default is true.
- */
- public void setStripPrivateParameters(boolean stripPrivateParameters) {
- this.stripPrivateParameters = stripPrivateParameters;
- }
-
- private static JsonWebKeys loadPublicVerificationKeys(Message m,
Properties props, boolean stripPrivateParameters) {
- String storeType =
props.getProperty(JoseConstants.RSSEC_KEY_STORE_TYPE);
- if ("jwk".equals(storeType)) {
- List<JsonWebKey> jsonWebKeys = loadJsonWebKeys(m, props,
KeyOperation.SIGN);
- if (jsonWebKeys == null || jsonWebKeys.isEmpty()) {
- throw new JoseException("Error loading keys");
- }
- JsonWebKeys retKeys = new JsonWebKeys();
- retKeys.setKeys(stripPrivateParameters ?
stripPrivateParameters(jsonWebKeys) : jsonWebKeys);
- return retKeys;
- }
- X509Certificate[] certs = null;
- if
(PropertyUtils.isTrue(props.get(JoseConstants.RSSEC_SIGNATURE_INCLUDE_CERT))) {
- certs = KeyManagementUtils.loadX509CertificateOrChain(m, props);
- }
- PublicKey key = certs != null && certs.length > 0
- ? certs[0].getPublicKey() : KeyManagementUtils.loadPublicKey(m,
props);
- JsonWebKey jwk = JwkUtils.fromPublicKey(key, props,
JoseConstants.RSSEC_SIGNATURE_ALGORITHM);
- jwk.setPublicKeyUse(PublicKeyUse.SIGN);
- if (certs != null) {
-
jwk.setX509Chain(KeyManagementUtils.encodeX509CertificateChain(certs));
- }
- return new JsonWebKeys(jwk);
- }
-
- private static List<JsonWebKey> stripPrivateParameters(List<JsonWebKey>
keys) {
- if (keys == null) {
- return Collections.emptyList();
- }
-
- List<JsonWebKey> parsedKeys = new ArrayList<>(keys.size());
- Iterator<JsonWebKey> iter = keys.iterator();
- while (iter.hasNext()) {
- JsonWebKey key = iter.next();
- if (!(key.containsProperty("k") || key.getKeyType() ==
KeyType.OCTET)) {
- // We don't allow secret keys in a public keyset
- key.removeProperty(JsonWebKey.RSA_PRIVATE_EXP);
- key.removeProperty(JsonWebKey.RSA_FIRST_PRIME_FACTOR);
- key.removeProperty(JsonWebKey.RSA_SECOND_PRIME_FACTOR);
- key.removeProperty(JsonWebKey.RSA_FIRST_PRIME_CRT);
- key.removeProperty(JsonWebKey.RSA_SECOND_PRIME_CRT);
- key.removeProperty(JsonWebKey.RSA_FIRST_CRT_COEFFICIENT);
- parsedKeys.add(key);
- }
- }
- return parsedKeys;
- }
-
- private static List<JsonWebKey> loadJsonWebKeys(Message m,
- Properties props,
- KeyOperation keyOper) {
- JsonWebKeys jwkSet = JwkUtils.loadJwkSet(m, props, null);
- String kid = KeyManagementUtils.getKeyId(m, props,
JoseConstants.RSSEC_KEY_STORE_ALIAS, keyOper);
- if (kid != null) {
- return Collections.singletonList(jwkSet.getKey(kid));
- }
- String kids = KeyManagementUtils.getKeyId(m, props,
JoseConstants.RSSEC_KEY_STORE_ALIASES, keyOper);
- if (kids != null) {
- String[] values = kids.split(",");
- List<JsonWebKey> keys = new ArrayList<>(values.length);
- for (String value : values) {
- keys.add(jwkSet.getKey(value));
- }
- return keys;
- }
- if (keyOper != null) {
- List<JsonWebKey> keys = jwkSet.getKeyOperationMap().get(keyOper);
- if (keys != null && keys.size() == 1) {
- return Collections.singletonList(keys.get(0));
- }
- }
- return null;
- }
-}
diff --git
a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java
b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java
index 0cbc666..29232f3 100644
---
a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java
+++
b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java
@@ -24,12 +24,9 @@ import java.util.List;
import java.util.Set;
import org.apache.cxf.rs.security.oauth2.common.Client;
-import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.grants.code.JCacheCodeDataProvider;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
-import org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
-import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
public class OAuthDataProviderImpl extends JCacheCodeDataProvider {
@@ -46,100 +43,4 @@ public class OAuthDataProviderImpl extends
JCacheCodeDataProvider {
}
}
- //
- // BEGIN - TODO This can be removed once we pick up CXF 3.3.5
- //
-
- @Override
- public ServerAccessToken refreshAccessToken(Client client, String
refreshTokenKey,
- List<String> restrictedScopes)
throws OAuthServiceException {
- RefreshToken currentRefreshToken = isRecycleRefreshTokens()
- ? revokeRefreshToken(client, refreshTokenKey) :
getRefreshToken(refreshTokenKey);
- if (currentRefreshToken == null) {
- throw new OAuthServiceException(OAuthConstants.ACCESS_DENIED);
- }
- if (OAuthUtils.isExpired(currentRefreshToken.getIssuedAt(),
currentRefreshToken.getExpiresIn())) {
- if (!isRecycleRefreshTokens()) {
- revokeRefreshToken(client, refreshTokenKey);
- }
- throw new OAuthServiceException(OAuthConstants.ACCESS_DENIED);
- }
- if (isRecycleRefreshTokens()) {
- revokeAccessTokens(client, currentRefreshToken);
- }
-
- ServerAccessToken at = doRefreshAccessToken(client,
currentRefreshToken, restrictedScopes);
- saveAccessToken(at);
- if (isRecycleRefreshTokens()) {
- createNewRefreshToken(at);
- } else {
- updateExistingRefreshToken(currentRefreshToken, at);
- }
- return at;
- }
-
- @Override
- public void revokeToken(Client client, String tokenKey, String
tokenTypeHint) throws OAuthServiceException {
- ServerAccessToken accessToken = null;
- if (!OAuthConstants.REFRESH_TOKEN.equals(tokenTypeHint)) {
- accessToken = revokeAccessToken(client, tokenKey);
- }
- if (accessToken != null) {
- handleLinkedRefreshToken(client, accessToken);
- } else if (!OAuthConstants.ACCESS_TOKEN.equals(tokenTypeHint)) {
- RefreshToken currentRefreshToken = revokeRefreshToken(client,
tokenKey);
- revokeAccessTokens(client, currentRefreshToken);
- }
- }
-
- protected void handleLinkedRefreshToken(Client client, ServerAccessToken
accessToken) {
- if (accessToken != null && accessToken.getRefreshToken() != null) {
- RefreshToken rt = getRefreshToken(accessToken.getRefreshToken());
- if (rt == null) {
- return;
- }
-
- unlinkRefreshAccessToken(rt, accessToken.getTokenKey());
- if (rt.getAccessTokens().isEmpty()) {
- revokeRefreshToken(client, rt.getTokenKey());
- } else {
- saveRefreshToken(rt);
- }
- }
-
- }
-
- protected void revokeAccessTokens(Client client, RefreshToken
currentRefreshToken) {
- if (currentRefreshToken != null) {
- for (String accessTokenKey :
currentRefreshToken.getAccessTokens()) {
- revokeAccessToken(client, accessTokenKey);
- }
- }
- }
-
- protected ServerAccessToken revokeAccessToken(Client client, String
accessTokenKey) {
- ServerAccessToken at = getAccessToken(accessTokenKey);
- if (at != null) {
- if (!at.getClient().getClientId().equals(client.getClientId())) {
- throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
- }
- doRevokeAccessToken(at);
- }
- return at;
- }
-
- protected RefreshToken revokeRefreshToken(Client client, String
refreshTokenKey) {
- RefreshToken refreshToken = getRefreshToken(refreshTokenKey);
- if (refreshToken != null) {
- if
(!refreshToken.getClient().getClientId().equals(client.getClientId())) {
- throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
- }
- doRevokeRefreshToken(refreshToken);
- }
- return refreshToken;
- }
-
- //
- // END
- //
}
diff --git a/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
b/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
index e065b23..b2ee2fe 100644
--- a/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
+++ b/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
@@ -104,7 +104,7 @@
Public JWK Key Service: Disable it if the client secret is used or if
pre-installing public OIDC keys to clients is preferred
-->
- <bean id="oidcKeysService"
class="org.apache.cxf.fediz.service.oidc.FedizOidcKeysService"/>
+ <bean id="oidcKeysService"
class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/>
<jaxrs:server address="/jwk">
<jaxrs:serviceBeans>
<ref bean="oidcKeysService"/>
diff --git a/systests/oidc/src/test/resources/oidc/applicationContext.xml
b/systests/oidc/src/test/resources/oidc/applicationContext.xml
index 89bf21c..40a03cb 100644
--- a/systests/oidc/src/test/resources/oidc/applicationContext.xml
+++ b/systests/oidc/src/test/resources/oidc/applicationContext.xml
@@ -110,7 +110,7 @@
Public JWK Key Service: Disable it if the client secret is used or if
pre-installing public OIDC keys to clients is preferred
-->
- <bean id="oidcKeysService"
class="org.apache.cxf.fediz.service.oidc.FedizOidcKeysService"/>
+ <bean id="oidcKeysService"
class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/>
<jaxrs:server address="/jwk">
<jaxrs:serviceBeans>
<ref bean="oidcKeysService"/>
@@ -125,7 +125,7 @@
</jaxrs:properties>
</jaxrs:server>
- <bean id="oidcKeysService2"
class="org.apache.cxf.fediz.service.oidc.FedizOidcKeysService"/>
+ <bean id="oidcKeysService2"
class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/>
<jaxrs:server address="/jwk2">
<jaxrs:serviceBeans>
<ref bean="oidcKeysService2"/>
diff --git
a/systests/oidc/src/test/resources/oidc/spring/applicationContext.xml
b/systests/oidc/src/test/resources/oidc/spring/applicationContext.xml
index e2cdc7d..d5c01f7 100644
--- a/systests/oidc/src/test/resources/oidc/spring/applicationContext.xml
+++ b/systests/oidc/src/test/resources/oidc/spring/applicationContext.xml
@@ -178,7 +178,7 @@
Public JWK Key Service: Disable it if the client secret is used or if
pre-installing public OIDC keys to clients is preferred
-->
- <bean id="oidcKeysService"
class="org.apache.cxf.fediz.service.oidc.FedizOidcKeysService"/>
+ <bean id="oidcKeysService"
class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/>
<jaxrs:server address="/jwk">
<jaxrs:serviceBeans>
<ref bean="oidcKeysService"/>
@@ -193,7 +193,7 @@
</jaxrs:properties>
</jaxrs:server>
- <bean id="oidcKeysService2"
class="org.apache.cxf.fediz.service.oidc.FedizOidcKeysService"/>
+ <bean id="oidcKeysService2"
class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/>
<jaxrs:server address="/jwk2">
<jaxrs:serviceBeans>
<ref bean="oidcKeysService2"/>
diff --git
a/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java
b/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java
index 02bb2d1..a1bc168 100644
---
a/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java
+++
b/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java
@@ -65,10 +65,6 @@ public abstract class AbstractTests {
WSSConfig.init();
}
- public AbstractTests() {
- super();
- }
-
public abstract String getServletContextName();
public abstract String getIdpHttpsPort();
