Blame - full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java - KorAP/Kustvakt

2018-04-25 22:48:09 +0200

[diff] [blame]

1

package de.ids_mannheim.korap.oauth2.service;

margaretha

2018-04-03 20:40:45 +0200

[diff] [blame]

2

margaretha

2018-04-17 18:45:57 +0200

[diff] [blame]

3

import java.net.MalformedURLException;

4

import java.net.URI;

5

import java.net.URISyntaxException;

6

import java.net.URL;

margaretha

2018-04-10 12:39:56 +0200

[diff] [blame]

7

import java.sql.SQLException;

margaretha

2018-11-29 17:28:18 +0100

[diff] [blame]

8

import java.util.ArrayList;

9

import java.util.Collections;

margaretha

2018-08-14 15:58:51 +0200

[diff] [blame]

10

import java.util.List;

margaretha

2018-04-10 12:39:56 +0200

[diff] [blame]

11

margaretha

2018-04-03 20:40:45 +0200

[diff] [blame]

12

import org.apache.commons.validator.routines.UrlValidator;

13

import org.springframework.beans.factory.annotation.Autowired;

14

import org.springframework.stereotype.Service;

15

margaretha

2018-04-10 19:26:44 +0200

[diff] [blame]

16

import de.ids_mannheim.korap.config.FullConfiguration;

margaretha

2018-04-10 12:39:56 +0200

[diff] [blame]

17

import de.ids_mannheim.korap.dao.AdminDao;

margaretha

2018-07-26 13:50:17 +0200

[diff] [blame]

18

import de.ids_mannheim.korap.encryption.RandomCodeGenerator;

margaretha

2018-04-03 20:40:45 +0200

[diff] [blame]

19

import de.ids_mannheim.korap.exceptions.KustvaktException;

20

import de.ids_mannheim.korap.exceptions.StatusCodes;

21

import de.ids_mannheim.korap.interfaces.EncryptionIface;

margaretha

2018-04-25 22:48:09 +0200

[diff] [blame]

22

import de.ids_mannheim.korap.oauth2.constant.OAuth2ClientType;

23

import de.ids_mannheim.korap.oauth2.constant.OAuth2Error;

margaretha

2018-08-14 15:58:51 +0200

[diff] [blame]

24

import de.ids_mannheim.korap.oauth2.dao.AccessTokenDao;

margaretha

3495447

2018-10-24 20:05:17 +0200

[diff] [blame]

25

import de.ids_mannheim.korap.oauth2.dao.AuthorizationDao;

margaretha

2018-04-25 22:48:09 +0200

[diff] [blame]

26

import de.ids_mannheim.korap.oauth2.dao.OAuth2ClientDao;

margaretha

2018-08-23 18:51:49 +0200

[diff] [blame]

27

import de.ids_mannheim.korap.oauth2.dao.RefreshTokenDao;

margaretha

2018-08-15 19:04:03 +0200

[diff] [blame]

28

import de.ids_mannheim.korap.oauth2.dto.OAuth2ClientDto;

29

import de.ids_mannheim.korap.oauth2.dto.OAuth2ClientInfoDto;

margaretha

2018-11-29 17:28:18 +0100

[diff] [blame]

30

import de.ids_mannheim.korap.oauth2.dto.OAuth2UserClientDto;

margaretha

2018-08-14 15:58:51 +0200

[diff] [blame]

31

import de.ids_mannheim.korap.oauth2.entity.AccessToken;

32

import de.ids_mannheim.korap.oauth2.entity.Authorization;

margaretha

2018-04-25 22:48:09 +0200

[diff] [blame]

33

import de.ids_mannheim.korap.oauth2.entity.OAuth2Client;

margaretha

2018-08-23 18:51:49 +0200

[diff] [blame]

34

import de.ids_mannheim.korap.oauth2.entity.RefreshToken;

margaretha

2018-04-03 20:40:45 +0200

[diff] [blame]

35

import de.ids_mannheim.korap.web.input.OAuth2ClientJson;

36

margaretha

2018-04-25 22:48:09 +0200

[diff] [blame]

37

/**

margaretha

398f472

2019-01-09 19:07:20 +0100

[diff] [blame]

38

* Defines business logic related to OAuth2 client including

39

* client registration and client authentication.

40

*

margaretha

2018-04-25 22:48:09 +0200

[diff] [blame]

41

* According to RFC 6749, an authorization server MUST:

margaretha

2018-04-12 19:59:31 +0200

[diff] [blame]

42

* <ul>

43

* <li>

44

* require client authentication for confidential clients or for any

margaretha

2018-04-25 22:48:09 +0200

[diff] [blame]

45

* client that was issued client credentials (or with other

46

* authentication

margaretha

2018-04-12 19:59:31 +0200

[diff] [blame]

* requirements),

* </li>

*

* <li>authenticate the client if client authentication is included

* </li>

* </ul>

*

* @author margaretha

*

*/

margaretha

2018-04-03 20:40:45 +0200

[diff] [blame]

57

@Service

58

public class OAuth2ClientService {

59

60

@Autowired

61

private OAuth2ClientDao clientDao;

62

@Autowired

margaretha

2018-08-14 15:58:51 +0200

[diff] [blame]

63

private AccessTokenDao tokenDao;

64

@Autowired

margaretha

2018-08-23 18:51:49 +0200

[diff] [blame]

65

private RefreshTokenDao refreshDao;

66

@Autowired

margaretha

3495447

2018-10-24 20:05:17 +0200

[diff] [blame]

67

private AuthorizationDao authorizationDao;

margaretha

2018-08-14 15:58:51 +0200

[diff] [blame]

68

@Autowired

margaretha

2018-04-10 12:39:56 +0200

[diff] [blame]

69

private AdminDao adminDao;

70

@Autowired

margaretha

e4034a8

2018-07-02 14:46:59 +0200

[diff] [blame]

71

private UrlValidator redirectURIValidator;

margaretha

2018-04-12 19:59:31 +0200

[diff] [blame]

72

@Autowired

margaretha

2018-07-02 19:01:43 +0200

[diff] [blame]

73

private UrlValidator urlValidator;

74

@Autowired

margaretha

2018-04-03 20:40:45 +0200

[diff] [blame]

75

private EncryptionIface encryption;

margaretha

2018-04-05 14:11:52 +0200

[diff] [blame]

76

@Autowired

margaretha

2018-07-26 13:50:17 +0200

[diff] [blame]

77

private RandomCodeGenerator codeGenerator;

78

@Autowired

margaretha

2018-04-10 19:26:44 +0200

[diff] [blame]

79

private FullConfiguration config;

margaretha

2018-04-03 20:40:45 +0200

[diff] [blame]

80

margaretha

2018-04-05 14:11:52 +0200

[diff] [blame]

81

public OAuth2ClientDto registerClient (OAuth2ClientJson clientJson,

82

String registeredBy) throws KustvaktException {

margaretha

2018-07-02 19:01:43 +0200

[diff] [blame]

83

String url = clientJson.getUrl();

84

int urlHashCode = 0;

85

if (url != null && !url.isEmpty()) {

86

urlHashCode = clientJson.getUrl().hashCode();

margaretha

85273f1

2019-02-04 18:13:17 +0100

[diff] [blame]

87

if (!urlValidator.isValid(url)) {

margaretha

2018-07-02 19:01:43 +0200

[diff] [blame]

88

throw new KustvaktException(StatusCodes.INVALID_ARGUMENT,

89

url + " is invalid.", OAuth2Error.INVALID_REQUEST);

90

}

margaretha

2018-04-03 20:40:45 +0200

[diff] [blame]

91

}

margaretha

2018-07-02 19:01:43 +0200

[diff] [blame]

92

93

String redirectURI = clientJson.getRedirectURI();

94

if (redirectURI != null && !redirectURI.isEmpty()

margaretha

85273f1

2019-02-04 18:13:17 +0100

[diff] [blame]

95

&& !redirectURIValidator.isValid(redirectURI)) {

margaretha

2018-07-02 19:01:43 +0200

[diff] [blame]

96

throw new KustvaktException(StatusCodes.INVALID_ARGUMENT,

97

redirectURI + " is invalid.", OAuth2Error.INVALID_REQUEST);

98

}

99

margaretha

2018-08-15 19:04:03 +0200

[diff] [blame]

100

// boolean isNative = isNativeClient(url, redirectURI);

margaretha

2018-04-17 18:45:57 +0200

[diff] [blame]

101

margaretha

2018-04-03 20:40:45 +0200

[diff] [blame]

102

String secret = null;

margaretha

2018-04-10 19:26:44 +0200

[diff] [blame]

103

String secretHashcode = null;

margaretha

2018-04-05 14:11:52 +0200

[diff] [blame]

104

if (clientJson.getType().equals(OAuth2ClientType.CONFIDENTIAL)) {

margaretha

fb1e099

2018-04-10 14:58:28 +0200

[diff] [blame]

105

// RFC 6749:

margaretha

07402f4

2018-05-07 19:07:45 +0200

[diff] [blame]

106

// The authorization server MUST NOT issue client

107

// passwords or other client credentials to native

108

// application (clients installed and executed on the

109

// device used by the resource owner e.g. desktop

110

// application, native mobile application) or

111

// user-agent-based application clients for client

112

// authentication. The authorization server MAY issue a

113

// client password or other credentials for a specific

114

// installation of a native application client on a

margaretha

fb1e099

2018-04-10 14:58:28 +0200

[diff] [blame]

115

// specific device.

116

margaretha

2018-07-26 13:50:17 +0200

[diff] [blame]

117

secret = codeGenerator.createRandomCode();

margaretha

2018-04-10 19:26:44 +0200

[diff] [blame]

118

secretHashcode = encryption.secureHash(secret,

119

config.getPasscodeSaltField());

margaretha

2018-04-03 20:40:45 +0200

[diff] [blame]

120

}

121

margaretha

2018-07-26 13:50:17 +0200

[diff] [blame]

122

String id = codeGenerator.createRandomCode();

margaretha

2018-04-10 12:39:56 +0200

[diff] [blame]

123

try {

margaretha

2018-04-10 19:26:44 +0200

[diff] [blame]

124

clientDao.registerClient(id, secretHashcode, clientJson.getName(),

margaretha

2018-08-15 19:04:03 +0200

[diff] [blame]

125

clientJson.getType(), url, urlHashCode, redirectURI,

126

registeredBy, clientJson.getDescription());

margaretha

2018-04-10 12:39:56 +0200

[diff] [blame]

127

}

128

catch (Exception e) {

129

Throwable cause = e;

130

Throwable lastCause = null;

131

while ((cause = cause.getCause()) != null

132

&& !cause.equals(lastCause)) {

133

if (cause instanceof SQLException) {

margaretha

b1081b1

2018-07-03 23:35:01 +0200

[diff] [blame]

134

break;

margaretha

2018-04-10 12:39:56 +0200

[diff] [blame]

135

}

136

lastCause = cause;

137

}

margaretha

b1081b1

2018-07-03 23:35:01 +0200

[diff] [blame]

138

throw new KustvaktException(StatusCodes.CLIENT_REGISTRATION_FAILED,

139

cause.getMessage(), OAuth2Error.INVALID_REQUEST);

margaretha

2018-04-10 12:39:56 +0200

[diff] [blame]

140

}

margaretha

2018-04-05 14:11:52 +0200

[diff] [blame]

141

142

return new OAuth2ClientDto(id, secret);

143

}

144

margaretha

2018-08-15 19:04:03 +0200

[diff] [blame]

145

@Deprecated

margaretha

2018-04-17 18:45:57 +0200

[diff] [blame]

146

private boolean isNativeClient (String url, String redirectURI)

147

throws KustvaktException {

margaretha

2018-07-02 19:01:43 +0200

[diff] [blame]

148

if (url == null || url.isEmpty() || redirectURI == null

149

|| redirectURI.isEmpty()) {

return false;

}

margaretha

2018-04-17 18:45:57 +0200

[diff] [blame]

153

String nativeHost = config.getNativeClientHost();

154

String urlHost = null;

155

try {

156

urlHost = new URL(url).getHost();

157

}

158

catch (MalformedURLException e) {

159

throw new KustvaktException(StatusCodes.INVALID_ARGUMENT,

160

"Invalid url :" + e.getMessage(),

margaretha

2018-04-25 22:48:09 +0200

[diff] [blame]

161

OAuth2Error.INVALID_REQUEST);

margaretha

2018-04-17 18:45:57 +0200

[diff] [blame]

162

}

margaretha

2018-07-02 19:01:43 +0200

[diff] [blame]

163

164

if (!urlHost.equals(nativeHost)) {

return false;

}

margaretha

2018-04-17 18:45:57 +0200

[diff] [blame]

168

String uriHost = null;

169

try {

170

uriHost = new URI(redirectURI).getHost();

171

}

172

catch (URISyntaxException e) {

173

throw new KustvaktException(StatusCodes.INVALID_ARGUMENT,

margaretha

2018-04-23 20:00:13 +0200

[diff] [blame]

174

"Invalid redirectURI: " + e.getMessage(),

margaretha

2018-04-25 22:48:09 +0200

[diff] [blame]

175

OAuth2Error.INVALID_REQUEST);

margaretha

2018-04-17 18:45:57 +0200

[diff] [blame]

176

}

margaretha

2018-07-02 19:01:43 +0200

[diff] [blame]

177

if (!uriHost.equals(nativeHost)) {

return false;

}

return true;

margaretha

2018-04-17 18:45:57 +0200

[diff] [blame]

182

}

183

margaretha

2018-07-03 14:22:59 +0200

[diff] [blame]

184

public void deregisterClient (String clientId, String clientSecret,

185

String username) throws KustvaktException {

margaretha

2018-04-05 14:11:52 +0200

[diff] [blame]

186

margaretha

2018-04-23 20:00:13 +0200

[diff] [blame]

187

OAuth2Client client = clientDao.retrieveClientById(clientId);

margaretha

2018-07-03 14:22:59 +0200

[diff] [blame]

188

if (client.getType().equals(OAuth2ClientType.CONFIDENTIAL)) {

189

authenticateClient(clientId, clientSecret);

margaretha

2018-04-10 12:39:56 +0200

[diff] [blame]

190

}

margaretha

2018-07-03 14:22:59 +0200

[diff] [blame]

191

192

if (adminDao.isAdmin(username)

193

|| client.getRegisteredBy().equals(username)) {

margaretha

2018-08-14 15:58:51 +0200

[diff] [blame]

194

margaretha

2018-08-16 16:19:53 +0200

[diff] [blame]

195

revokeAllAuthorizationsByClientId(clientId);

margaretha

85273f1

2019-02-04 18:13:17 +0100

[diff] [blame]

196

clientDao.deregisterClient(client);

margaretha

2018-08-14 15:58:51 +0200

[diff] [blame]

197

}

198

else {

199

throw new KustvaktException(StatusCodes.AUTHORIZATION_FAILED,

200

"Unauthorized operation for user: " + username, username);

}

}

margaretha

2018-08-16 16:19:53 +0200

[diff] [blame]

204

private void revokeAllAuthorizationsByClientId (String clientId)

205

throws KustvaktException {

206

207

// revoke all related authorization codes

208

List<Authorization> authList =

209

authorizationDao.retrieveAuthorizationsByClientId(clientId);

210

for (Authorization authorization : authList) {

211

authorization.setRevoked(true);

212

authorizationDao.updateAuthorization(authorization);

213

}

214

215

// revoke all related access tokens

216

List<AccessToken> tokens =

217

tokenDao.retrieveAccessTokenByClientId(clientId);

218

for (AccessToken token : tokens) {

219

token.setRevoked(true);

margaretha

2018-08-16 16:19:53 +0200

[diff] [blame]

220

tokenDao.updateAccessToken(token);

221

}

margaretha

2018-08-23 18:51:49 +0200

[diff] [blame]

222

223

List<RefreshToken> refreshTokens =

224

refreshDao.retrieveRefreshTokenByClientId(clientId);

225

for (RefreshToken token : refreshTokens) {

226

token.setRevoked(true);

227

refreshDao.updateRefreshToken(token);

228

}

margaretha

2018-08-16 16:19:53 +0200

[diff] [blame]

229

}

230

margaretha

2018-08-14 15:58:51 +0200

[diff] [blame]

231

public OAuth2ClientDto resetSecret (String clientId, String clientSecret,

232

String username) throws KustvaktException {

233

234

OAuth2Client client = authenticateClient(clientId, clientSecret);

235

if (!client.getType().equals(OAuth2ClientType.CONFIDENTIAL)) {

margaretha

2018-08-15 19:04:03 +0200

[diff] [blame]

236

throw new KustvaktException(StatusCodes.NOT_ALLOWED,

margaretha

2018-08-14 15:58:51 +0200

[diff] [blame]

237

"Operation is not allowed for public clients",

238

OAuth2Error.INVALID_REQUEST);

239

}

240

if (adminDao.isAdmin(username)

241

|| client.getRegisteredBy().equals(username)) {

242

243

String secret = codeGenerator.createRandomCode();

244

String secretHashcode = encryption.secureHash(secret,

245

config.getPasscodeSaltField());

246

247

client.setSecret(secretHashcode);

248

clientDao.updateClient(client);

249

return new OAuth2ClientDto(clientId, secret);

margaretha

2018-04-10 12:39:56 +0200

[diff] [blame]

250

}

251

else {

252

throw new KustvaktException(StatusCodes.AUTHORIZATION_FAILED,

253

"Unauthorized operation for user: " + username, username);

254

}

margaretha

2018-04-05 14:11:52 +0200

[diff] [blame]

255

}

256

margaretha

2018-04-23 20:00:13 +0200

[diff] [blame]

257

public OAuth2Client authenticateClient (String clientId,

258

String clientSecret) throws KustvaktException {

margaretha

2018-04-17 18:45:57 +0200

[diff] [blame]

259

margaretha

2018-04-23 20:00:13 +0200

[diff] [blame]

260

if (clientId == null || clientId.isEmpty()) {

margaretha

0512231

2018-04-16 15:01:34 +0200

[diff] [blame]

261

throw new KustvaktException(

262

StatusCodes.CLIENT_AUTHENTICATION_FAILED,

margaretha

2018-04-25 22:48:09 +0200

[diff] [blame]

263

"Missing parameters: client id",

264

OAuth2Error.INVALID_REQUEST);

margaretha

2018-04-12 19:59:31 +0200

[diff] [blame]

265

}

margaretha

2018-04-05 14:11:52 +0200

[diff] [blame]

266

margaretha

2018-04-23 20:00:13 +0200

[diff] [blame]

267

OAuth2Client client = clientDao.retrieveClientById(clientId);

margaretha

2018-07-03 14:22:59 +0200

[diff] [blame]

268

authenticateClient(client, clientSecret);

return client;

}

public void authenticateClient (OAuth2Client client, String clientSecret)

273

throws KustvaktException {

margaretha

2018-08-14 15:58:51 +0200

[diff] [blame]

274

if (clientSecret == null || clientSecret.isEmpty()) {

margaretha

2018-07-03 14:22:59 +0200

[diff] [blame]

275

if (client.getType().equals(OAuth2ClientType.CONFIDENTIAL)) {

276

throw new KustvaktException(

277

StatusCodes.CLIENT_AUTHENTICATION_FAILED,

278

"Missing parameters: client_secret",

279

OAuth2Error.INVALID_REQUEST);

margaretha

2018-04-05 14:11:52 +0200

[diff] [blame]

280

}

281

}

margaretha

2018-08-16 16:19:53 +0200

[diff] [blame]

282

else if (client.getSecret() == null || client.getSecret().isEmpty()) {

283

if (client.getType().equals(OAuth2ClientType.CONFIDENTIAL)) {

margaretha

2018-08-15 19:04:03 +0200

[diff] [blame]

284

throw new KustvaktException(

285

StatusCodes.CLIENT_AUTHENTICATION_FAILED,

286

"Client secret was not registered",

287

OAuth2Error.INVALID_CLIENT);

288

}

289

}

margaretha

2018-07-03 14:22:59 +0200

[diff] [blame]

290

else if (!encryption.checkHash(clientSecret, client.getSecret(),

291

config.getPasscodeSaltField())) {

292

throw new KustvaktException(

293

StatusCodes.CLIENT_AUTHENTICATION_FAILED,

294

"Invalid client credentials", OAuth2Error.INVALID_CLIENT);

295

}

margaretha

2018-04-03 20:40:45 +0200

[diff] [blame]

296

}

margaretha

fb1e099

2018-04-10 14:58:28 +0200

[diff] [blame]

297

margaretha

07402f4

2018-05-07 19:07:45 +0200

[diff] [blame]

298

public OAuth2Client authenticateClientId (String clientId)

299

throws KustvaktException {

300

if (clientId == null || clientId.isEmpty()) {

301

throw new KustvaktException(

302

StatusCodes.CLIENT_AUTHENTICATION_FAILED,

303

"Missing parameters: client id",

304

OAuth2Error.INVALID_REQUEST);

305

}

306

307

return clientDao.retrieveClientById(clientId);

308

}

margaretha

2018-08-15 19:04:03 +0200

[diff] [blame]

309

310

public void updatePrivilege (String username, String clientId,

311

boolean isSuper) throws KustvaktException {

312

313

if (adminDao.isAdmin(username)) {

314

OAuth2Client client = clientDao.retrieveClientById(clientId);

margaretha

2018-08-16 16:19:53 +0200

[diff] [blame]

315

if (isSuper) {

316

if (!client.getType().equals(OAuth2ClientType.CONFIDENTIAL)) {

317

throw new KustvaktException(StatusCodes.NOT_ALLOWED,

318

"Only confidential clients are allowed to be super clients.");

319

}

margaretha

2018-08-15 19:04:03 +0200

[diff] [blame]

320

}

margaretha

2018-08-16 16:19:53 +0200

[diff] [blame]

321

else {

322

revokeAllAuthorizationsByClientId(clientId);

323

}

324

margaretha

2018-08-15 19:04:03 +0200

[diff] [blame]

325

client.setSuper(isSuper);

326

clientDao.updateClient(client);

327

}

328

else {

329

throw new KustvaktException(StatusCodes.AUTHORIZATION_FAILED,

330

"Unauthorized operation for user: " + username, username);

}

}

public OAuth2ClientInfoDto retrieveClientInfo (String username,

335

String clientId) throws KustvaktException {

336

OAuth2Client client = clientDao.retrieveClientById(clientId);

337

if (adminDao.isAdmin(username)

338

|| username.equals(client.getRegisteredBy())) {

339

return new OAuth2ClientInfoDto(client);

340

}

341

else {

342

throw new KustvaktException(StatusCodes.AUTHORIZATION_FAILED,

343

"Unauthorized operation for user: " + username, username);

344

}

345

}

margaretha

2018-11-29 17:28:18 +0100

[diff] [blame]

346

347

public OAuth2Client retrieveClient (String clientId)

348

throws KustvaktException {

349

return clientDao.retrieveClientById(clientId);

350

}

351

margaretha

2018-11-29 17:28:18 +0100

[diff] [blame]

352

public List<OAuth2UserClientDto> listUserClients (String username,

353

String clientId, String clientSecret) throws KustvaktException {

354

OAuth2Client client = authenticateClient(clientId, clientSecret);

355

if (!client.isSuper()) {

356

throw new KustvaktException(StatusCodes.CLIENT_AUTHORIZATION_FAILED,

357

"Only super client is allowed to list user clients.",

358

OAuth2Error.UNAUTHORIZED_CLIENT);

359

}

margaretha

5a2c34e

2018-11-29 19:35:13 +0100

[diff] [blame]

360

List<OAuth2Client> userClients =

361

clientDao.retrieveUserClients(username);

margaretha

2018-11-29 17:28:18 +0100

[diff] [blame]

362

Collections.sort(userClients);

margaretha

5a2c34e

2018-11-29 19:35:13 +0100

[diff] [blame]

363

margaretha

2018-11-29 17:28:18 +0100

[diff] [blame]

364

List<OAuth2UserClientDto> dtoList = new ArrayList<>(userClients.size());

365

for (OAuth2Client uc : userClients) {

366

if (uc.isSuper()) continue;

367

OAuth2UserClientDto dto = new OAuth2UserClientDto();

368

dto.setClientId(uc.getId());

369

dto.setClientName(uc.getName());

dtoList.add(dto);

}

return dtoList;

}

margaretha