diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/model/Nonce.java b/openid-connect-common/src/main/java/org/mitre/openid/connect/model/Nonce.java deleted file mode 100644 index b1818d246..000000000 --- a/openid-connect-common/src/main/java/org/mitre/openid/connect/model/Nonce.java +++ /dev/null @@ -1,139 +0,0 @@ -/******************************************************************************* - * Copyright 2013 The MITRE Corporation - * and the MIT Kerberos and Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - ******************************************************************************/ -package org.mitre.openid.connect.model; - -import java.util.Date; - -import javax.persistence.Basic; -import javax.persistence.Column; -import javax.persistence.Entity; -import javax.persistence.GeneratedValue; -import javax.persistence.GenerationType; -import javax.persistence.Id; -import javax.persistence.NamedQueries; -import javax.persistence.NamedQuery; -import javax.persistence.Table; -import javax.persistence.Temporal; - - -@Entity -@Table(name="client_nonce") -@NamedQueries({ - @NamedQuery(name = "Nonce.getAll", query = "select n from Nonce n"), - @NamedQuery(name = "Nonce.getByClientId", query = "select n from Nonce n where n.clientId = :clientId"), - @NamedQuery(name = "Nonce.getExpired", query = "select n from Nonce n where n.expireDate is not null and n.expireDate < current_timestamp") -}) -public class Nonce { - - - private Long id; //the ID of this Nonce - - private String value; //the value of this Nonce - - private String clientId;//The id of the client who used this Nonce - - private Date useDate; //the date this Nonce was used - - private Date expireDate; //the date after which this Nonce should be removed from the database - - /** - * @return the id - */ - @Id - @GeneratedValue(strategy=GenerationType.IDENTITY) - @Column(name = "id") - public Long getId() { - return id; - } - - /** - * @param id the id to set - */ - public void setId(Long id) { - this.id = id; - } - - /** - * @return the value - */ - @Basic - @Column(name="value") - public String getValue() { - return value; - } - - /** - * @param value the value to set - */ - public void setValue(String value) { - this.value = value; - } - - /** - * @return the clientId - */ - @Basic - @Column(name="client_id") - public String getClientId() { - return clientId; - } - - /** - * @param clientId the clientId to set - */ - public void setClientId(String clientId) { - this.clientId = clientId; - } - - /** - * @return the useDate - */ - @Basic - @Temporal(javax.persistence.TemporalType.TIMESTAMP) - @Column(name="use_date") - public Date getUseDate() { - return useDate; - } - - /** - * @param useDate the useDate to set - */ - public void setUseDate(Date useDate) { - this.useDate = useDate; - } - - /** - * @return the expireDate - */ - @Basic - @Temporal(javax.persistence.TemporalType.TIMESTAMP) - @Column(name="expire_date") - public Date getExpireDate() { - return expireDate; - } - - /** - * @param expireDate the expireDate to set - */ - public void setExpireDate(Date expireDate) { - this.expireDate = expireDate; - } - - - - -} diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/repository/NonceRepository.java b/openid-connect-common/src/main/java/org/mitre/openid/connect/repository/NonceRepository.java deleted file mode 100644 index 560a74ff5..000000000 --- a/openid-connect-common/src/main/java/org/mitre/openid/connect/repository/NonceRepository.java +++ /dev/null @@ -1,77 +0,0 @@ -/******************************************************************************* - * Copyright 2013 The MITRE Corporation - * and the MIT Kerberos and Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - ******************************************************************************/ -package org.mitre.openid.connect.repository; - -import java.util.Collection; - -import org.mitre.openid.connect.model.Nonce; - -/** - * - * Nonce repository interface. - * - * @author Amanda Anganes - * - */ -public interface NonceRepository { - - /** - * Return the nonce with the given ID - * - * @param id the ID of the nonce to find - * @return the nonce, if found - */ - public Nonce getById(Long id); - - /** - * Remove the given Nonce from the database - * - * @param nonce the Nonce to remove - */ - public void remove(Nonce nonce); - - /** - * Save a new Nonce in the database - * - * @param nonce the Nonce to save - * @return the saved Nonce - */ - public Nonce save(Nonce nonce); - - /** - * Return all nonces stored in the database - * - * @return the set of nonces - */ - public Collection getAll(); - - /** - * Return all expired nonces stored in the database - * - * @return the set of expired nonces - */ - public Collection getExpired(); - - /** - * Return the set of nonces registered to the given client ID - * - * @param clientId the client ID - * @return the set of nonces registered to the client - */ - public Collection getByClientId(String clientId); - -} diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/service/NonceService.java b/openid-connect-common/src/main/java/org/mitre/openid/connect/service/NonceService.java deleted file mode 100644 index b338b5263..000000000 --- a/openid-connect-common/src/main/java/org/mitre/openid/connect/service/NonceService.java +++ /dev/null @@ -1,102 +0,0 @@ -/******************************************************************************* - * Copyright 2013 The MITRE Corporation - * and the MIT Kerberos and Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - ******************************************************************************/ -package org.mitre.openid.connect.service; - -import java.util.Collection; - -import org.mitre.openid.connect.model.Nonce; - - -/** - * - * Nonce service interface - * - * @author Amanda Anganes - * - */ -public interface NonceService { - - /** - * Create a new nonce. - * - * @param clientId the ID of the client - * @param value the value of the Nonce - * @return the saved Nonce - */ - public Nonce create(String clientId, String value); - - /** - * Check whether a given nonce value has been previously used and stored - * by the client. - * - * @param clientId the ID of the client - * @param value the value of the nonce - * @return true if the nonce has already been used, false otherwise - */ - public boolean alreadyUsed(String clientId, String value); - - /** - * Return the nonce with the given ID - * - * @param id the ID of the nonce to find - * @return the nonce, if found - */ - public Nonce getById(Long id); - - /** - * Remove the given Nonce from the database - * - * @param nonce the Nonce to remove - */ - public void remove(Nonce nonce); - - /** - * Save a new Nonce in the database - * - * @param nonce the Nonce to save - * @return the saved Nonce - */ - public Nonce save(Nonce nonce); - - /** - * Return all nonces stored in the database - * - * @return the set of nonces - */ - public Collection getAll(); - - /** - * Return all expired nonces stored in the database - * - * @return the set of expired nonces - */ - public Collection getExpired(); - - /** - * Return the set of nonces registered to the given client ID - * - * @param clientId the client ID - * @return the set of nonces registered to the client - */ - public Collection getByClientId(String clientId); - - /** - * Clear expired nonces from the database - */ - void clearExpiredNonces(); - -} diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java index 093532e20..9319bcb11 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java @@ -26,17 +26,12 @@ import net.minidev.json.JSONObject; import org.mitre.jwt.signer.service.JwtSigningAndValidationService; import org.mitre.jwt.signer.service.impl.JWKSetSigningAndValidationServiceCacheService; -import org.mitre.oauth2.exception.NonceReuseException; import org.mitre.oauth2.model.ClientDetailsEntity; import org.mitre.oauth2.service.ClientDetailsEntityService; -import org.mitre.openid.connect.model.Nonce; -import org.mitre.openid.connect.service.NonceService; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.AuthenticationServiceException; -import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.security.core.userdetails.User; import org.springframework.security.oauth2.common.exceptions.InvalidClientException; import org.springframework.security.oauth2.common.util.OAuth2Utils; import org.springframework.security.oauth2.provider.AuthorizationRequest; @@ -53,8 +48,6 @@ public class ConnectOAuth2RequestFactory extends DefaultOAuth2RequestFactory { private static Logger logger = LoggerFactory.getLogger(ConnectOAuth2RequestFactory.class); - private NonceService nonceService; - private ClientDetailsEntityService clientDetailsService; @Autowired @@ -67,10 +60,9 @@ public class ConnectOAuth2RequestFactory extends DefaultOAuth2RequestFactory { * @param nonceService */ @Autowired - public ConnectOAuth2RequestFactory(ClientDetailsEntityService clientDetailsService, NonceService nonceService) { + public ConnectOAuth2RequestFactory(ClientDetailsEntityService clientDetailsService) { super(clientDetailsService); this.clientDetailsService = clientDetailsService; - this.nonceService = nonceService; } @Override @@ -85,8 +77,6 @@ public class ConnectOAuth2RequestFactory extends DefaultOAuth2RequestFactory { client = clientDetailsService.loadClientByClientId(clientId); } - String requestNonce = parameters.get("nonce"); - AuthorizationRequest request = new AuthorizationRequest(parameters, Collections. emptyMap(), parameters.get(OAuth2Utils.CLIENT_ID), OAuth2Utils.parseParameterList(parameters.get(OAuth2Utils.SCOPE)), null, @@ -94,23 +84,6 @@ public class ConnectOAuth2RequestFactory extends DefaultOAuth2RequestFactory { parameters.get(OAuth2Utils.REDIRECT_URI), OAuth2Utils.parseParameterList(parameters.get(OAuth2Utils.RESPONSE_TYPE))); - //Only process if the user is authenticated. If the user is not authenticated yet, this - //code will be called a second time once the user is redirected from the login page back - //to the auth endpoint. - Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal(); - - if (requestNonce != null && principal != null && principal instanceof User) { - - if (!nonceService.alreadyUsed(clientId, requestNonce)) { - Nonce nonce = nonceService.create(clientId, requestNonce); - nonceService.save(nonce); - } - else { - throw new NonceReuseException(client == null ? "unidentified client" : client.getClientId(), requestNonce); - } - - } - Set scopes = OAuth2Utils.parseParameterList(parameters.get("scope")); if ((scopes == null || scopes.isEmpty()) && client != null) { Set clientScopes = client.getScope(); diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/repository/impl/JpaNonceRepository.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/repository/impl/JpaNonceRepository.java deleted file mode 100644 index 431c882df..000000000 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/repository/impl/JpaNonceRepository.java +++ /dev/null @@ -1,87 +0,0 @@ -/******************************************************************************* - * Copyright 2013 The MITRE Corporation - * and the MIT Kerberos and Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - ******************************************************************************/ -package org.mitre.openid.connect.repository.impl; - -import java.util.Collection; - -import javax.persistence.EntityManager; -import javax.persistence.PersistenceContext; -import javax.persistence.TypedQuery; - -import org.mitre.openid.connect.model.Nonce; -import org.mitre.openid.connect.repository.NonceRepository; -import org.springframework.stereotype.Repository; -import org.springframework.transaction.annotation.Transactional; - -import static org.mitre.util.jpa.JpaUtil.saveOrUpdate; - -@Repository -public class JpaNonceRepository implements NonceRepository { - - @PersistenceContext - private EntityManager manager; - - - @Override - @Transactional - public Nonce getById(Long id) { - return manager.find(Nonce.class, id); - } - - @Override - @Transactional - public void remove(Nonce nonce) { - Nonce found = manager.find(Nonce.class, nonce.getId()); - - if (found != null) { - manager.remove(found); - } else { - throw new IllegalArgumentException("Nonce reporitory remove: Nonce with id " + nonce.getId() + " could not be found."); - } - - } - - @Override - @Transactional - public Nonce save(Nonce nonce) { - return saveOrUpdate(nonce.getId(), manager, nonce); - } - - @Override - @Transactional - public Collection getAll() { - TypedQuery query = manager.createNamedQuery("Nonce.getAll", Nonce.class); - return query.getResultList(); - } - - @Override - @Transactional - public Collection getExpired() { - TypedQuery query = manager.createNamedQuery("Nonce.getExpired", Nonce.class); - return query.getResultList(); - } - - @Override - @Transactional - public Collection getByClientId(String clientId) { - TypedQuery query = manager.createNamedQuery("Nonce.getByClientId", Nonce.class); - query.setParameter("clientId", clientId); - - return query.getResultList(); - } - -} diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultNonceService.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultNonceService.java deleted file mode 100644 index 8f63d8260..000000000 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultNonceService.java +++ /dev/null @@ -1,147 +0,0 @@ -/******************************************************************************* - * Copyright 2013 The MITRE Corporation - * and the MIT Kerberos and Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - ******************************************************************************/ -package org.mitre.openid.connect.service.impl; - -import java.util.Collection; -import java.util.Date; - -import javax.annotation.PostConstruct; - -import org.joda.time.DateTime; -import org.joda.time.Period; -import org.mitre.openid.connect.model.Nonce; -import org.mitre.openid.connect.repository.NonceRepository; -import org.mitre.openid.connect.service.NonceService; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Service; - -@Service("defaultNonceService") -public class DefaultNonceService implements NonceService { - - private static Logger logger = LoggerFactory.getLogger(NonceService.class); - - @Autowired - private NonceRepository repository; - - @Autowired - private Period nonceStorageDuration; - - /** - * Make sure that the nonce storage duration was set - */ - @PostConstruct - public void afterPropertiesSet() throws Exception { - if (nonceStorageDuration == null) { - logger.error("Nonce storage duration must be set!"); - } - logger.info("Nonce Service ready to go"); - } - - @Override - public Nonce create(String clientId, String value) { - //Store nonce - Nonce nonce = new Nonce(); - nonce.setClientId(clientId); - nonce.setValue(value); - DateTime now = new DateTime(new Date()); - nonce.setUseDate(now.toDate()); - DateTime expDate = now.plus(nonceStorageDuration); - Date expirationJdkDate = expDate.toDate(); - nonce.setExpireDate(expirationJdkDate); - return nonce; - } - - @Override - public boolean alreadyUsed(String clientId, String value) { - - Collection clientNonces = getByClientId(clientId); - for (Nonce nonce : clientNonces) { - String nonceVal = nonce.getValue(); - if (nonceVal.equals(value)) { - return true; - } - } - - return false; - } - - @Override - public Nonce getById(Long id) { - return repository.getById(id); - } - - @Override - public void remove(Nonce nonce) { - repository.remove(nonce); - } - - @Override - public Nonce save(Nonce nonce) { - return repository.save(nonce); - } - - @Override - public Collection getAll() { - return repository.getAll(); - } - - @Override - public Collection getExpired() { - return repository.getExpired(); - } - - @Override - public Collection getByClientId(String clientId) { - return repository.getByClientId(clientId); - } - - @Override - //We are eventually deleting this class, but if we weren't, - //this would have been moved to application-context.xml for easier configuration. - //@Scheduled(fixedRate = 5 * 60 * 1000) // schedule this task every five minutes - public void clearExpiredNonces() { - - logger.info("Clearing expired nonces"); - - Collection expired = repository.getExpired(); - logger.info("Found " + expired.size() + " expired nonces"); - - for (Nonce nonce : expired) { - remove(nonce); - } - } - - public NonceRepository getRepository() { - return repository; - } - - public void setRepository(NonceRepository repository) { - this.repository = repository; - } - - public Period getNonceStorageDuration() { - return nonceStorageDuration; - } - - public void setNonceStorageDuration(Period nonceStorageDuration) { - this.nonceStorageDuration = nonceStorageDuration; - } - - -} diff --git a/openid-connect-server/src/main/webapp/WEB-INF/application-context.xml b/openid-connect-server/src/main/webapp/WEB-INF/application-context.xml index 39ea0be63..68061abf3 100644 --- a/openid-connect-server/src/main/webapp/WEB-INF/application-context.xml +++ b/openid-connect-server/src/main/webapp/WEB-INF/application-context.xml @@ -156,14 +156,6 @@ - - - - - - - - diff --git a/openid-connect-server/src/test/java/org/mitre/openid/connect/service/impl/TestDefaultNonceService.java b/openid-connect-server/src/test/java/org/mitre/openid/connect/service/impl/TestDefaultNonceService.java deleted file mode 100644 index 9058bf0b7..000000000 --- a/openid-connect-server/src/test/java/org/mitre/openid/connect/service/impl/TestDefaultNonceService.java +++ /dev/null @@ -1,109 +0,0 @@ -/******************************************************************************* - * Copyright 2013 The MITRE Corporation - * and the MIT Kerberos and Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - ******************************************************************************/ -package org.mitre.openid.connect.service.impl; - -import java.util.Date; - -import org.joda.time.DateTime; -import org.joda.time.Period; -import org.junit.Before; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.mitre.openid.connect.model.Nonce; -import org.mitre.openid.connect.repository.NonceRepository; -import org.mockito.InjectMocks; -import org.mockito.Mock; -import org.mockito.Mockito; -import org.mockito.runners.MockitoJUnitRunner; - -import com.google.common.collect.Sets; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertTrue; - -/** - * @author wkim - * - */ -@RunWith(MockitoJUnitRunner.class) -public class TestDefaultNonceService { - - // Test value for nonce storage duration time. - private Period nonceStorageDuration = new Period().withSeconds(1); - - private String clientId = "123abc"; - private String value1 = "n1"; - private String value2 = "n2"; - private String value3 = "n3"; - - @Mock - private NonceRepository repository; - - @InjectMocks - private DefaultNonceService service = new DefaultNonceService(); - - @Before - public void prepare() { - - Mockito.reset(repository); - - service.setNonceStorageDuration(nonceStorageDuration); - - - } - - /** - * Tests the correctness of created nonces. - */ - @Test - public void create() { - - Date start = new Date(System.currentTimeMillis() - 100); // time skew of 100ms on either side - - Nonce nonce = service.create(clientId, value1); - - Date end = new Date(System.currentTimeMillis() + 100); // time skew of 100ms on either side - - assertEquals(clientId, nonce.getClientId()); - assertEquals(value1, nonce.getValue()); - assertTrue(nonce.getUseDate().after(start) && nonce.getUseDate().before(end)); // make sure the date is within the right range (within 100ms on either side) - - // Check expiration date. - assertEquals(new DateTime(nonce.getUseDate()).plus(nonceStorageDuration), new DateTime(nonce.getExpireDate())); - } - - /** - * Verifies that if any nonce returned by the repository already has the value being checked for, - * then the service method returns true. - * - * Also checks a nonce value not returned by the repository to verify the method returns false in this case. - */ - @Test - public void alreadyUsed() { - - Nonce nonce1 = service.create(clientId, value1); - Nonce nonce2 = service.create(clientId, value2); - - Mockito.when(repository.getByClientId(clientId)).thenReturn(Sets.newHashSet(nonce1, nonce2)); - - assertTrue(service.alreadyUsed(clientId, value1)); - assertTrue(service.alreadyUsed(clientId, value2)); - - assertFalse(service.alreadyUsed(clientId, value3)); - } -}