This is an automated email from the ASF dual-hosted git repository. buhhunyx pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
The following commit(s) were added to refs/heads/master by this push: new 62ed364 cleanup after CXF upgrade 62ed364 is described below commit 62ed3645b0d6468379cc1c754a05a057f39a858d Author: Alexey Markevich <buhhu...@gmail.com> AuthorDate: Fri Feb 14 16:00:09 2020 +0300 cleanup after CXF upgrade --- .../fediz/service/oidc/FedizOidcKeysService.java | 165 --------------------- .../fediz/service/oidc/OAuthDataProviderImpl.java | 99 ------------- .../src/main/webapp/WEB-INF/applicationContext.xml | 2 +- .../src/test/resources/oidc/applicationContext.xml | 4 +- .../resources/oidc/spring/applicationContext.xml | 4 +- .../cxf/fediz/systests/common/AbstractTests.java | 4 - 6 files changed, 5 insertions(+), 273 deletions(-) diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizOidcKeysService.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizOidcKeysService.java deleted file mode 100644 index 65468e5..0000000 --- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizOidcKeysService.java +++ /dev/null @@ -1,165 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.fediz.service.oidc; - -import java.security.PublicKey; -import java.security.cert.X509Certificate; -import java.util.ArrayList; -import java.util.Collections; -import java.util.Iterator; -import java.util.List; -import java.util.Properties; - -import javax.ws.rs.GET; -import javax.ws.rs.Path; -import javax.ws.rs.Produces; - -import org.apache.cxf.common.util.PropertyUtils; -import org.apache.cxf.jaxrs.client.WebClient; -import org.apache.cxf.jaxrs.utils.JAXRSUtils; -import org.apache.cxf.message.Message; -import org.apache.cxf.rs.security.jose.common.JoseConstants; -import org.apache.cxf.rs.security.jose.common.JoseException; -import org.apache.cxf.rs.security.jose.common.KeyManagementUtils; -import org.apache.cxf.rs.security.jose.jwk.JsonWebKey; -import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys; -import org.apache.cxf.rs.security.jose.jwk.JwkUtils; -import org.apache.cxf.rs.security.jose.jwk.KeyOperation; -import org.apache.cxf.rs.security.jose.jwk.KeyType; -import org.apache.cxf.rs.security.jose.jwk.PublicKeyUse; -import org.apache.cxf.rs.security.jose.jws.JwsUtils; - -/** - * TODO Remove this once we pick up CXF 3.3.5 - */ -@Path("keys") -public class FedizOidcKeysService { - - private volatile JsonWebKeys keySet; - private WebClient keyServiceClient; - private boolean stripPrivateParameters = true; - - @GET - @Produces("application/json") - public JsonWebKeys getPublicVerificationKeys() { - if (keySet == null) { - if (keyServiceClient == null) { - keySet = getFromLocalStore(stripPrivateParameters); - } else { - keySet = keyServiceClient.get(JsonWebKeys.class); - } - - } - return keySet; - } - - private static JsonWebKeys getFromLocalStore(boolean stripPrivateParameters) { - Properties props = JwsUtils.loadSignatureInProperties(true); - return loadPublicVerificationKeys(JAXRSUtils.getCurrentMessage(), props, stripPrivateParameters); - } - - public void setKeyServiceClient(WebClient keyServiceClient) { - this.keyServiceClient = keyServiceClient; - } - - public boolean isStripPrivateParameters() { - return stripPrivateParameters; - } - - /** - * Whether to strip private parameters from the keys that are returned. The default is true. - */ - public void setStripPrivateParameters(boolean stripPrivateParameters) { - this.stripPrivateParameters = stripPrivateParameters; - } - - private static JsonWebKeys loadPublicVerificationKeys(Message m, Properties props, boolean stripPrivateParameters) { - String storeType = props.getProperty(JoseConstants.RSSEC_KEY_STORE_TYPE); - if ("jwk".equals(storeType)) { - List<JsonWebKey> jsonWebKeys = loadJsonWebKeys(m, props, KeyOperation.SIGN); - if (jsonWebKeys == null || jsonWebKeys.isEmpty()) { - throw new JoseException("Error loading keys"); - } - JsonWebKeys retKeys = new JsonWebKeys(); - retKeys.setKeys(stripPrivateParameters ? stripPrivateParameters(jsonWebKeys) : jsonWebKeys); - return retKeys; - } - X509Certificate[] certs = null; - if (PropertyUtils.isTrue(props.get(JoseConstants.RSSEC_SIGNATURE_INCLUDE_CERT))) { - certs = KeyManagementUtils.loadX509CertificateOrChain(m, props); - } - PublicKey key = certs != null && certs.length > 0 - ? certs[0].getPublicKey() : KeyManagementUtils.loadPublicKey(m, props); - JsonWebKey jwk = JwkUtils.fromPublicKey(key, props, JoseConstants.RSSEC_SIGNATURE_ALGORITHM); - jwk.setPublicKeyUse(PublicKeyUse.SIGN); - if (certs != null) { - jwk.setX509Chain(KeyManagementUtils.encodeX509CertificateChain(certs)); - } - return new JsonWebKeys(jwk); - } - - private static List<JsonWebKey> stripPrivateParameters(List<JsonWebKey> keys) { - if (keys == null) { - return Collections.emptyList(); - } - - List<JsonWebKey> parsedKeys = new ArrayList<>(keys.size()); - Iterator<JsonWebKey> iter = keys.iterator(); - while (iter.hasNext()) { - JsonWebKey key = iter.next(); - if (!(key.containsProperty("k") || key.getKeyType() == KeyType.OCTET)) { - // We don't allow secret keys in a public keyset - key.removeProperty(JsonWebKey.RSA_PRIVATE_EXP); - key.removeProperty(JsonWebKey.RSA_FIRST_PRIME_FACTOR); - key.removeProperty(JsonWebKey.RSA_SECOND_PRIME_FACTOR); - key.removeProperty(JsonWebKey.RSA_FIRST_PRIME_CRT); - key.removeProperty(JsonWebKey.RSA_SECOND_PRIME_CRT); - key.removeProperty(JsonWebKey.RSA_FIRST_CRT_COEFFICIENT); - parsedKeys.add(key); - } - } - return parsedKeys; - } - - private static List<JsonWebKey> loadJsonWebKeys(Message m, - Properties props, - KeyOperation keyOper) { - JsonWebKeys jwkSet = JwkUtils.loadJwkSet(m, props, null); - String kid = KeyManagementUtils.getKeyId(m, props, JoseConstants.RSSEC_KEY_STORE_ALIAS, keyOper); - if (kid != null) { - return Collections.singletonList(jwkSet.getKey(kid)); - } - String kids = KeyManagementUtils.getKeyId(m, props, JoseConstants.RSSEC_KEY_STORE_ALIASES, keyOper); - if (kids != null) { - String[] values = kids.split(","); - List<JsonWebKey> keys = new ArrayList<>(values.length); - for (String value : values) { - keys.add(jwkSet.getKey(value)); - } - return keys; - } - if (keyOper != null) { - List<JsonWebKey> keys = jwkSet.getKeyOperationMap().get(keyOper); - if (keys != null && keys.size() == 1) { - return Collections.singletonList(keys.get(0)); - } - } - return null; - } -} diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java index 0cbc666..29232f3 100644 --- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java +++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java @@ -24,12 +24,9 @@ import java.util.List; import java.util.Set; import org.apache.cxf.rs.security.oauth2.common.Client; -import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken; import org.apache.cxf.rs.security.oauth2.grants.code.JCacheCodeDataProvider; import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; -import org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken; import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; -import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils; import org.apache.cxf.rs.security.oidc.utils.OidcUtils; public class OAuthDataProviderImpl extends JCacheCodeDataProvider { @@ -46,100 +43,4 @@ public class OAuthDataProviderImpl extends JCacheCodeDataProvider { } } - // - // BEGIN - TODO This can be removed once we pick up CXF 3.3.5 - // - - @Override - public ServerAccessToken refreshAccessToken(Client client, String refreshTokenKey, - List<String> restrictedScopes) throws OAuthServiceException { - RefreshToken currentRefreshToken = isRecycleRefreshTokens() - ? revokeRefreshToken(client, refreshTokenKey) : getRefreshToken(refreshTokenKey); - if (currentRefreshToken == null) { - throw new OAuthServiceException(OAuthConstants.ACCESS_DENIED); - } - if (OAuthUtils.isExpired(currentRefreshToken.getIssuedAt(), currentRefreshToken.getExpiresIn())) { - if (!isRecycleRefreshTokens()) { - revokeRefreshToken(client, refreshTokenKey); - } - throw new OAuthServiceException(OAuthConstants.ACCESS_DENIED); - } - if (isRecycleRefreshTokens()) { - revokeAccessTokens(client, currentRefreshToken); - } - - ServerAccessToken at = doRefreshAccessToken(client, currentRefreshToken, restrictedScopes); - saveAccessToken(at); - if (isRecycleRefreshTokens()) { - createNewRefreshToken(at); - } else { - updateExistingRefreshToken(currentRefreshToken, at); - } - return at; - } - - @Override - public void revokeToken(Client client, String tokenKey, String tokenTypeHint) throws OAuthServiceException { - ServerAccessToken accessToken = null; - if (!OAuthConstants.REFRESH_TOKEN.equals(tokenTypeHint)) { - accessToken = revokeAccessToken(client, tokenKey); - } - if (accessToken != null) { - handleLinkedRefreshToken(client, accessToken); - } else if (!OAuthConstants.ACCESS_TOKEN.equals(tokenTypeHint)) { - RefreshToken currentRefreshToken = revokeRefreshToken(client, tokenKey); - revokeAccessTokens(client, currentRefreshToken); - } - } - - protected void handleLinkedRefreshToken(Client client, ServerAccessToken accessToken) { - if (accessToken != null && accessToken.getRefreshToken() != null) { - RefreshToken rt = getRefreshToken(accessToken.getRefreshToken()); - if (rt == null) { - return; - } - - unlinkRefreshAccessToken(rt, accessToken.getTokenKey()); - if (rt.getAccessTokens().isEmpty()) { - revokeRefreshToken(client, rt.getTokenKey()); - } else { - saveRefreshToken(rt); - } - } - - } - - protected void revokeAccessTokens(Client client, RefreshToken currentRefreshToken) { - if (currentRefreshToken != null) { - for (String accessTokenKey : currentRefreshToken.getAccessTokens()) { - revokeAccessToken(client, accessTokenKey); - } - } - } - - protected ServerAccessToken revokeAccessToken(Client client, String accessTokenKey) { - ServerAccessToken at = getAccessToken(accessTokenKey); - if (at != null) { - if (!at.getClient().getClientId().equals(client.getClientId())) { - throw new OAuthServiceException(OAuthConstants.INVALID_GRANT); - } - doRevokeAccessToken(at); - } - return at; - } - - protected RefreshToken revokeRefreshToken(Client client, String refreshTokenKey) { - RefreshToken refreshToken = getRefreshToken(refreshTokenKey); - if (refreshToken != null) { - if (!refreshToken.getClient().getClientId().equals(client.getClientId())) { - throw new OAuthServiceException(OAuthConstants.INVALID_GRANT); - } - doRevokeRefreshToken(refreshToken); - } - return refreshToken; - } - - // - // END - // } diff --git a/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml b/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml index e065b23..b2ee2fe 100644 --- a/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml +++ b/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml @@ -104,7 +104,7 @@ Public JWK Key Service: Disable it if the client secret is used or if pre-installing public OIDC keys to clients is preferred --> - <bean id="oidcKeysService" class="org.apache.cxf.fediz.service.oidc.FedizOidcKeysService"/> + <bean id="oidcKeysService" class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/> <jaxrs:server address="/jwk"> <jaxrs:serviceBeans> <ref bean="oidcKeysService"/> diff --git a/systests/oidc/src/test/resources/oidc/applicationContext.xml b/systests/oidc/src/test/resources/oidc/applicationContext.xml index 89bf21c..40a03cb 100644 --- a/systests/oidc/src/test/resources/oidc/applicationContext.xml +++ b/systests/oidc/src/test/resources/oidc/applicationContext.xml @@ -110,7 +110,7 @@ Public JWK Key Service: Disable it if the client secret is used or if pre-installing public OIDC keys to clients is preferred --> - <bean id="oidcKeysService" class="org.apache.cxf.fediz.service.oidc.FedizOidcKeysService"/> + <bean id="oidcKeysService" class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/> <jaxrs:server address="/jwk"> <jaxrs:serviceBeans> <ref bean="oidcKeysService"/> @@ -125,7 +125,7 @@ </jaxrs:properties> </jaxrs:server> - <bean id="oidcKeysService2" class="org.apache.cxf.fediz.service.oidc.FedizOidcKeysService"/> + <bean id="oidcKeysService2" class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/> <jaxrs:server address="/jwk2"> <jaxrs:serviceBeans> <ref bean="oidcKeysService2"/> diff --git a/systests/oidc/src/test/resources/oidc/spring/applicationContext.xml b/systests/oidc/src/test/resources/oidc/spring/applicationContext.xml index e2cdc7d..d5c01f7 100644 --- a/systests/oidc/src/test/resources/oidc/spring/applicationContext.xml +++ b/systests/oidc/src/test/resources/oidc/spring/applicationContext.xml @@ -178,7 +178,7 @@ Public JWK Key Service: Disable it if the client secret is used or if pre-installing public OIDC keys to clients is preferred --> - <bean id="oidcKeysService" class="org.apache.cxf.fediz.service.oidc.FedizOidcKeysService"/> + <bean id="oidcKeysService" class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/> <jaxrs:server address="/jwk"> <jaxrs:serviceBeans> <ref bean="oidcKeysService"/> @@ -193,7 +193,7 @@ </jaxrs:properties> </jaxrs:server> - <bean id="oidcKeysService2" class="org.apache.cxf.fediz.service.oidc.FedizOidcKeysService"/> + <bean id="oidcKeysService2" class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/> <jaxrs:server address="/jwk2"> <jaxrs:serviceBeans> <ref bean="oidcKeysService2"/> diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java index 02bb2d1..a1bc168 100644 --- a/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java +++ b/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java @@ -65,10 +65,6 @@ public abstract class AbstractTests { WSSConfig.init(); } - public AbstractTests() { - super(); - } - public abstract String getServletContextName(); public abstract String getIdpHttpsPort();