[cxf-fediz] branch master updated: cleanup after CXF upgrade

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[cxf-fediz] branch master updated: cleanup after CXF upgrade

buhhunyx
This is an automated email from the ASF dual-hosted git repository.

buhhunyx pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git


The following commit(s) were added to refs/heads/master by this push:
     new 62ed364  cleanup after CXF upgrade
62ed364 is described below

commit 62ed3645b0d6468379cc1c754a05a057f39a858d
Author: Alexey Markevich <[hidden email]>
AuthorDate: Fri Feb 14 16:00:09 2020 +0300

    cleanup after CXF upgrade
---
 .../fediz/service/oidc/FedizOidcKeysService.java   | 165 ---------------------
 .../fediz/service/oidc/OAuthDataProviderImpl.java  |  99 -------------
 .../src/main/webapp/WEB-INF/applicationContext.xml |   2 +-
 .../src/test/resources/oidc/applicationContext.xml |   4 +-
 .../resources/oidc/spring/applicationContext.xml   |   4 +-
 .../cxf/fediz/systests/common/AbstractTests.java   |   4 -
 6 files changed, 5 insertions(+), 273 deletions(-)

diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizOidcKeysService.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizOidcKeysService.java
deleted file mode 100644
index 65468e5..0000000
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizOidcKeysService.java
+++ /dev/null
@@ -1,165 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.oidc;
-
-import java.security.PublicKey;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Properties;
-
-import javax.ws.rs.GET;
-import javax.ws.rs.Path;
-import javax.ws.rs.Produces;
-
-import org.apache.cxf.common.util.PropertyUtils;
-import org.apache.cxf.jaxrs.client.WebClient;
-import org.apache.cxf.jaxrs.utils.JAXRSUtils;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.rs.security.jose.common.JoseConstants;
-import org.apache.cxf.rs.security.jose.common.JoseException;
-import org.apache.cxf.rs.security.jose.common.KeyManagementUtils;
-import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
-import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
-import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
-import org.apache.cxf.rs.security.jose.jwk.KeyOperation;
-import org.apache.cxf.rs.security.jose.jwk.KeyType;
-import org.apache.cxf.rs.security.jose.jwk.PublicKeyUse;
-import org.apache.cxf.rs.security.jose.jws.JwsUtils;
-
-/**
- * TODO Remove this once we pick up CXF 3.3.5
- */
-@Path("keys")
-public class FedizOidcKeysService {
-
-    private volatile JsonWebKeys keySet;
-    private WebClient keyServiceClient;
-    private boolean stripPrivateParameters = true;
-
-    @GET
-    @Produces("application/json")
-    public JsonWebKeys getPublicVerificationKeys() {
-        if (keySet == null) {
-            if (keyServiceClient == null) {
-                keySet = getFromLocalStore(stripPrivateParameters);
-            } else {
-                keySet = keyServiceClient.get(JsonWebKeys.class);
-            }
-
-        }
-        return keySet;
-    }
-
-    private static JsonWebKeys getFromLocalStore(boolean stripPrivateParameters) {
-        Properties props = JwsUtils.loadSignatureInProperties(true);
-        return loadPublicVerificationKeys(JAXRSUtils.getCurrentMessage(), props, stripPrivateParameters);
-    }
-
-    public void setKeyServiceClient(WebClient keyServiceClient) {
-        this.keyServiceClient = keyServiceClient;
-    }
-
-    public boolean isStripPrivateParameters() {
-        return stripPrivateParameters;
-    }
-
-    /**
-     * Whether to strip private parameters from the keys that are returned. The default is true.
-     */
-    public void setStripPrivateParameters(boolean stripPrivateParameters) {
-        this.stripPrivateParameters = stripPrivateParameters;
-    }
-    
-    private static JsonWebKeys loadPublicVerificationKeys(Message m, Properties props, boolean stripPrivateParameters) {
-        String storeType = props.getProperty(JoseConstants.RSSEC_KEY_STORE_TYPE);
-        if ("jwk".equals(storeType)) {
-            List<JsonWebKey> jsonWebKeys = loadJsonWebKeys(m, props, KeyOperation.SIGN);
-            if (jsonWebKeys == null || jsonWebKeys.isEmpty()) {
-                throw new JoseException("Error loading keys");
-            }
-            JsonWebKeys retKeys = new JsonWebKeys();
-            retKeys.setKeys(stripPrivateParameters ?  stripPrivateParameters(jsonWebKeys) : jsonWebKeys);
-            return retKeys;
-        }
-        X509Certificate[] certs = null;
-        if (PropertyUtils.isTrue(props.get(JoseConstants.RSSEC_SIGNATURE_INCLUDE_CERT))) {
-            certs = KeyManagementUtils.loadX509CertificateOrChain(m, props);
-        }
-        PublicKey key = certs != null && certs.length > 0
-            ? certs[0].getPublicKey() : KeyManagementUtils.loadPublicKey(m, props);
-        JsonWebKey jwk = JwkUtils.fromPublicKey(key, props, JoseConstants.RSSEC_SIGNATURE_ALGORITHM);
-        jwk.setPublicKeyUse(PublicKeyUse.SIGN);
-        if (certs != null) {
-            jwk.setX509Chain(KeyManagementUtils.encodeX509CertificateChain(certs));
-        }
-        return new JsonWebKeys(jwk);
-    }
-
-    private static List<JsonWebKey> stripPrivateParameters(List<JsonWebKey> keys) {
-        if (keys == null) {
-            return Collections.emptyList();
-        }
-
-        List<JsonWebKey> parsedKeys = new ArrayList<>(keys.size());
-        Iterator<JsonWebKey> iter = keys.iterator();
-        while (iter.hasNext()) {
-            JsonWebKey key = iter.next();
-            if (!(key.containsProperty("k") || key.getKeyType() == KeyType.OCTET)) {
-                // We don't allow secret keys in a public keyset
-                key.removeProperty(JsonWebKey.RSA_PRIVATE_EXP);
-                key.removeProperty(JsonWebKey.RSA_FIRST_PRIME_FACTOR);
-                key.removeProperty(JsonWebKey.RSA_SECOND_PRIME_FACTOR);
-                key.removeProperty(JsonWebKey.RSA_FIRST_PRIME_CRT);
-                key.removeProperty(JsonWebKey.RSA_SECOND_PRIME_CRT);
-                key.removeProperty(JsonWebKey.RSA_FIRST_CRT_COEFFICIENT);
-                parsedKeys.add(key);
-            }
-        }
-        return parsedKeys;
-    }
-    
-    private static List<JsonWebKey> loadJsonWebKeys(Message m,
-                                                   Properties props,
-                                                   KeyOperation keyOper) {
-        JsonWebKeys jwkSet = JwkUtils.loadJwkSet(m, props, null);
-        String kid = KeyManagementUtils.getKeyId(m, props, JoseConstants.RSSEC_KEY_STORE_ALIAS, keyOper);
-        if (kid != null) {
-            return Collections.singletonList(jwkSet.getKey(kid));
-        }
-        String kids = KeyManagementUtils.getKeyId(m, props, JoseConstants.RSSEC_KEY_STORE_ALIASES, keyOper);
-        if (kids != null) {
-            String[] values = kids.split(",");
-            List<JsonWebKey> keys = new ArrayList<>(values.length);
-            for (String value : values) {
-                keys.add(jwkSet.getKey(value));
-            }
-            return keys;
-        }
-        if (keyOper != null) {
-            List<JsonWebKey> keys = jwkSet.getKeyOperationMap().get(keyOper);
-            if (keys != null && keys.size() == 1) {
-                return Collections.singletonList(keys.get(0));
-            }
-        }
-        return null;
-    }
-}
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java
index 0cbc666..29232f3 100644
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java
@@ -24,12 +24,9 @@ import java.util.List;
 import java.util.Set;
 
 import org.apache.cxf.rs.security.oauth2.common.Client;
-import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
 import org.apache.cxf.rs.security.oauth2.grants.code.JCacheCodeDataProvider;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
-import org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
-import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
 import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 
 public class OAuthDataProviderImpl extends JCacheCodeDataProvider {
@@ -46,100 +43,4 @@ public class OAuthDataProviderImpl extends JCacheCodeDataProvider {
         }
     }
 
-    //
-    // BEGIN - TODO This can be removed once we pick up CXF 3.3.5
-    //
-
-    @Override
-    public ServerAccessToken refreshAccessToken(Client client, String refreshTokenKey,
-                                                List<String> restrictedScopes) throws OAuthServiceException {
-        RefreshToken currentRefreshToken = isRecycleRefreshTokens()
-            ? revokeRefreshToken(client, refreshTokenKey) : getRefreshToken(refreshTokenKey);
-        if (currentRefreshToken == null) {
-            throw new OAuthServiceException(OAuthConstants.ACCESS_DENIED);
-        }
-        if (OAuthUtils.isExpired(currentRefreshToken.getIssuedAt(), currentRefreshToken.getExpiresIn())) {
-            if (!isRecycleRefreshTokens()) {
-                revokeRefreshToken(client, refreshTokenKey);
-            }
-            throw new OAuthServiceException(OAuthConstants.ACCESS_DENIED);
-        }
-        if (isRecycleRefreshTokens()) {
-            revokeAccessTokens(client, currentRefreshToken);
-        }
-
-        ServerAccessToken at = doRefreshAccessToken(client, currentRefreshToken, restrictedScopes);
-        saveAccessToken(at);
-        if (isRecycleRefreshTokens()) {
-            createNewRefreshToken(at);
-        } else {
-            updateExistingRefreshToken(currentRefreshToken, at);
-        }
-        return at;
-    }
-
-    @Override
-    public void revokeToken(Client client, String tokenKey, String tokenTypeHint) throws OAuthServiceException {
-        ServerAccessToken accessToken = null;
-        if (!OAuthConstants.REFRESH_TOKEN.equals(tokenTypeHint)) {
-            accessToken = revokeAccessToken(client, tokenKey);
-        }
-        if (accessToken != null) {
-            handleLinkedRefreshToken(client, accessToken);
-        } else if (!OAuthConstants.ACCESS_TOKEN.equals(tokenTypeHint)) {
-            RefreshToken currentRefreshToken = revokeRefreshToken(client, tokenKey);
-            revokeAccessTokens(client, currentRefreshToken);
-        }
-    }
-
-    protected void handleLinkedRefreshToken(Client client, ServerAccessToken accessToken) {
-        if (accessToken != null && accessToken.getRefreshToken() != null) {
-            RefreshToken rt = getRefreshToken(accessToken.getRefreshToken());
-            if (rt == null) {
-                return;
-            }
-
-            unlinkRefreshAccessToken(rt, accessToken.getTokenKey());
-            if (rt.getAccessTokens().isEmpty()) {
-                revokeRefreshToken(client, rt.getTokenKey());
-            } else {
-                saveRefreshToken(rt);
-            }
-        }
-
-    }
-
-    protected void revokeAccessTokens(Client client, RefreshToken currentRefreshToken) {
-        if (currentRefreshToken != null) {
-            for (String accessTokenKey : currentRefreshToken.getAccessTokens()) {
-                revokeAccessToken(client, accessTokenKey);
-            }
-        }
-    }
-
-    protected ServerAccessToken revokeAccessToken(Client client, String accessTokenKey) {
-        ServerAccessToken at = getAccessToken(accessTokenKey);
-        if (at != null) {
-            if (!at.getClient().getClientId().equals(client.getClientId())) {
-                throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
-            }
-            doRevokeAccessToken(at);
-        }
-        return at;
-    }
-
-    protected RefreshToken revokeRefreshToken(Client client, String refreshTokenKey) {
-        RefreshToken refreshToken = getRefreshToken(refreshTokenKey);
-        if (refreshToken != null) {
-            if (!refreshToken.getClient().getClientId().equals(client.getClientId())) {
-                throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
-            }
-            doRevokeRefreshToken(refreshToken);
-        }
-        return refreshToken;
-    }
-
-    //
-    // END
-    //
 }
diff --git a/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml b/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
index e065b23..b2ee2fe 100644
--- a/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
+++ b/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
@@ -104,7 +104,7 @@
          Public JWK Key Service: Disable it if the client secret is used or if
          pre-installing public OIDC keys to clients is preferred
     -->
-    <bean id="oidcKeysService" class="org.apache.cxf.fediz.service.oidc.FedizOidcKeysService"/>
+    <bean id="oidcKeysService" class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/>
     <jaxrs:server address="/jwk">
         <jaxrs:serviceBeans>
            <ref bean="oidcKeysService"/>
diff --git a/systests/oidc/src/test/resources/oidc/applicationContext.xml b/systests/oidc/src/test/resources/oidc/applicationContext.xml
index 89bf21c..40a03cb 100644
--- a/systests/oidc/src/test/resources/oidc/applicationContext.xml
+++ b/systests/oidc/src/test/resources/oidc/applicationContext.xml
@@ -110,7 +110,7 @@
          Public JWK Key Service: Disable it if the client secret is used or if
          pre-installing public OIDC keys to clients is preferred
     -->
-    <bean id="oidcKeysService" class="org.apache.cxf.fediz.service.oidc.FedizOidcKeysService"/>
+    <bean id="oidcKeysService" class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/>
     <jaxrs:server address="/jwk">
         <jaxrs:serviceBeans>
            <ref bean="oidcKeysService"/>
@@ -125,7 +125,7 @@
         </jaxrs:properties>
     </jaxrs:server>
     
-    <bean id="oidcKeysService2" class="org.apache.cxf.fediz.service.oidc.FedizOidcKeysService"/>
+    <bean id="oidcKeysService2" class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/>
     <jaxrs:server address="/jwk2">
         <jaxrs:serviceBeans>
            <ref bean="oidcKeysService2"/>
diff --git a/systests/oidc/src/test/resources/oidc/spring/applicationContext.xml b/systests/oidc/src/test/resources/oidc/spring/applicationContext.xml
index e2cdc7d..d5c01f7 100644
--- a/systests/oidc/src/test/resources/oidc/spring/applicationContext.xml
+++ b/systests/oidc/src/test/resources/oidc/spring/applicationContext.xml
@@ -178,7 +178,7 @@
          Public JWK Key Service: Disable it if the client secret is used or if
          pre-installing public OIDC keys to clients is preferred
     -->
-    <bean id="oidcKeysService" class="org.apache.cxf.fediz.service.oidc.FedizOidcKeysService"/>
+    <bean id="oidcKeysService" class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/>
     <jaxrs:server address="/jwk">
         <jaxrs:serviceBeans>
            <ref bean="oidcKeysService"/>
@@ -193,7 +193,7 @@
         </jaxrs:properties>
     </jaxrs:server>
     
-    <bean id="oidcKeysService2" class="org.apache.cxf.fediz.service.oidc.FedizOidcKeysService"/>
+    <bean id="oidcKeysService2" class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/>
     <jaxrs:server address="/jwk2">
         <jaxrs:serviceBeans>
            <ref bean="oidcKeysService2"/>
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java
index 02bb2d1..a1bc168 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java
@@ -65,10 +65,6 @@ public abstract class AbstractTests {
         WSSConfig.init();
     }
 
-    public AbstractTests() {
-        super();
-    }
-
     public abstract String getServletContextName();
 
     public abstract String getIdpHttpsPort();