This is an automated email from the ASF dual-hosted git repository. buhhunyx pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/master by this push: new 9d363d1 cxf-rt-rs-security-oauth2: fix 'Potential null dereference' (#534) 9d363d1 is described below commit 9d363d1a2b7090bb67b9b362b1b9effdec351347 Author: Alexey Markevich <buhhu...@gmail.com> AuthorDate: Wed Apr 3 16:28:19 2019 +0300 cxf-rt-rs-security-oauth2: fix 'Potential null dereference' (#534) * cxf-rt-rs-security-oauth2: fix 'Potential null dereference' * typo --- .../oauth2/grants/code/JPACodeDataProvider.java | 4 +- .../oauth2/provider/JPAOAuthDataProvider.java | 72 ++++++++-------------- .../security/oauth2/tokens/hawk/HmacAlgorithm.java | 11 ++-- 3 files changed, 34 insertions(+), 53 deletions(-) diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JPACodeDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JPACodeDataProvider.java index a0b2001..f7f01f1 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JPACodeDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JPACodeDataProvider.java @@ -143,13 +143,13 @@ public class JPACodeDataProvider extends JPAOAuthDataProvider implements Authori if (c == null && resourceOwnerSubject == null) { return em.createQuery("SELECT c FROM ServerAuthorizationCodeGrant c", ServerAuthorizationCodeGrant.class); - } else if (c == null) { + } else if (c == null && resourceOwnerSubject != null) { return em.createQuery( "SELECT c FROM ServerAuthorizationCodeGrant" + " c JOIN c.subject s" + " WHERE s.login = :login", ServerAuthorizationCodeGrant.class) .setParameter("login", resourceOwnerSubject.getLogin()); - } else if (resourceOwnerSubject == null) { + } else if (c != null && resourceOwnerSubject == null) { return em.createQuery( "SELECT code FROM ServerAuthorizationCodeGrant code" + " JOIN code.client c" diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JPAOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JPAOAuthDataProvider.java index ae45789..b69b4be 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JPAOAuthDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JPAOAuthDataProvider.java @@ -22,6 +22,7 @@ import java.util.ArrayList; import java.util.HashMap; import java.util.LinkedList; import java.util.List; +import java.util.Map; import javax.persistence.EntityManager; import javax.persistence.EntityManagerFactory; @@ -324,56 +325,37 @@ public class JPAOAuthDataProvider extends AbstractOAuthDataProvider { protected TypedQuery<BearerAccessToken> getTokensQuery(Client c, UserSubject resourceOwnerSubject, EntityManager entityManager) { - if (c == null && resourceOwnerSubject == null) { - return entityManager.createQuery("SELECT t FROM BearerAccessToken t", BearerAccessToken.class); - } else if (c == null) { - return entityManager.createQuery( - "SELECT t FROM BearerAccessToken t" - + " JOIN t.subject s" - + " WHERE s.login = :login", BearerAccessToken.class) - .setParameter("login", resourceOwnerSubject.getLogin()); - } else if (resourceOwnerSubject == null) { - return entityManager.createQuery( - "SELECT t FROM BearerAccessToken t" - + " JOIN t.client c" - + " WHERE c.clientId = :clientId", BearerAccessToken.class) - .setParameter("clientId", c.getClientId()); - } else { - return entityManager.createQuery( - "SELECT t FROM BearerAccessToken t" - + " JOIN t.subject s" - + " JOIN t.client c" - + " WHERE s.login = :login AND c.clientId = :clientId", BearerAccessToken.class) - .setParameter("login", resourceOwnerSubject.getLogin()) - .setParameter("clientId", c.getClientId()); - } + return getQuery("BearerAccessToken", c, resourceOwnerSubject, entityManager, BearerAccessToken.class); } protected TypedQuery<RefreshToken> getRefreshTokensQuery(Client c, UserSubject resourceOwnerSubject, EntityManager entityManager) { - if (c == null && resourceOwnerSubject == null) { - return entityManager.createQuery("SELECT t FROM RefreshToken t", RefreshToken.class); - } else if (c == null) { - return entityManager.createQuery( - "SELECT t FROM RefreshToken t" - + " JOIN t.subject s" - + " WHERE s.login = :login", RefreshToken.class) - .setParameter("login", resourceOwnerSubject.getLogin()); - } else if (resourceOwnerSubject == null) { - return entityManager.createQuery( - "SELECT t FROM RefreshToken t" - + " JOIN t.client c" - + " WHERE c.clientId = :clientId", RefreshToken.class) - .setParameter("clientId", c.getClientId()); - } else { - return entityManager.createQuery( - "SELECT t FROM RefreshToken t" - + " JOIN t.subject s" - + " JOIN t.client c" - + " WHERE s.login = :login AND c.clientId = :clientId", RefreshToken.class) - .setParameter("login", resourceOwnerSubject.getLogin()) - .setParameter("clientId", c.getClientId()); + return getQuery("RefreshToken", c, resourceOwnerSubject, entityManager, RefreshToken.class); + } + + private static <T> TypedQuery<T> getQuery(String table, Client c, UserSubject resourceOwnerSubject, + EntityManager entityManager, Class<T> resultClass) { + StringBuilder query = new StringBuilder("SELECT t FROM ").append(table).append(" t"); + Map<String, Object> parameterMap = new HashMap<>(); + if (c != null || resourceOwnerSubject != null) { + query.append(" WHERE"); + if (c != null) { + query.append(" t.client.clientId = :clientId"); + parameterMap.put("clientId", c.getClientId()); + } + if (resourceOwnerSubject != null) { + if (!parameterMap.isEmpty()) { + query.append(" AND"); + } + query.append(" t.subject.login = :login"); + parameterMap.put("login", resourceOwnerSubject.getLogin()); + } + } + TypedQuery<T> typedQuery = entityManager.createQuery(query.toString(), resultClass); + for (Map.Entry<String, Object> entry : parameterMap.entrySet()) { + typedQuery.setParameter(entry.getKey(), entry.getValue()); } + return typedQuery; } /** diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/HmacAlgorithm.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/HmacAlgorithm.java index 9d91ce7..9396dcc 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/HmacAlgorithm.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/HmacAlgorithm.java @@ -41,13 +41,12 @@ public enum HmacAlgorithm { } public static HmacAlgorithm toHmacAlgorithm(String value) { - if (OAuthConstants.HMAC_ALGO_SHA_1.equals(value)) { - return HmacSHA1; + for (HmacAlgorithm ha : HmacAlgorithm.values()) { + if (ha.oauthName.equals(value)) { + return ha; + } } - if (OAuthConstants.HMAC_ALGO_SHA_256.equals(value)) { - return HmacSHA256; - } - return null; + throw new IllegalArgumentException(value); } } \ No newline at end of file