github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #38 from dBucik/psql 

Psql
pull/1580/head
Dominik František Bučík 2021-11-15 12:52:31 +01:00 committed by GitHub
parent f8f499c17a e12c164b46
commit 9ba4ac8628
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
291 changed files with 2087 additions and 4046 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
perun-oidc-server-webapp/src/main/resources/db/hsql/hsql_database_tables.sql
View File

@ -81,7 +81,7 @@ CREATE TABLE IF NOT EXISTS authentication_holder_scope (
CREATE TABLE IF NOT EXISTS authentication_holder_request_parameter (
owner_id BIGINT,
param VARCHAR(2048),
val VARCHAR(2048)
val VARCHAR(2048)
);
CREATE TABLE IF NOT EXISTS saved_user_auth (

61
perun-oidc-server-webapp/src/main/resources/db/mysql/clients.sql
View File

@ -1,61 +0,0 @@
--
-- Turn off autocommit and start a transaction so that we can use the temp tables
--
SET AUTOCOMMIT = 0;
START TRANSACTION;
--
-- Insert client information into the temporary tables. To add clients to the HSQL database, edit things here.
--
INSERT INTO client_details_TEMP (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) VALUES
('client', 'secret', 'Test Client', false, null, 3600, 600, true);
INSERT INTO client_scope_TEMP (owner_id, scope) VALUES
('client', 'openid'),
('client', 'profile'),
('client', 'email'),
('client', 'address'),
('client', 'phone'),
('client', 'offline_access');
INSERT INTO client_redirect_uri_TEMP (owner_id, redirect_uri) VALUES
('client', 'http://localhost/'),
('client', 'http://localhost:8080/');
INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES
('client', 'authorization_code'),
('client', 'urn:ietf:params:oauth:grant_type:redelegate'),
('client', 'implicit'),
('client', 'refresh_token');
--
-- Merge the temporary clients safely into the database. This is a two-step process to keep clients from being created on every startup with a persistent store.
--
INSERT INTO client_details (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection)
SELECT client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection FROM client_details_TEMP
ON DUPLICATE KEY UPDATE client_details.client_id = client_details.client_id;
INSERT INTO client_scope (owner_id, scope)
SELECT id, scope FROM client_scope_TEMP, client_details WHERE client_details.client_id = client_scope_TEMP.owner_id
ON DUPLICATE KEY UPDATE client_scope.owner_id = client_scope.owner_id;
INSERT INTO client_redirect_uri (owner_id, redirect_uri)
SELECT id, redirect_uri FROM client_redirect_uri_TEMP, client_details WHERE client_details.client_id = client_redirect_uri_TEMP.owner_id
ON DUPLICATE KEY UPDATE client_redirect_uri.owner_id = client_redirect_uri.owner_id;
INSERT INTO client_grant_type (owner_id, grant_type)
SELECT id, grant_type FROM client_grant_type_TEMP, client_details WHERE client_details.client_id = client_grant_type_TEMP.owner_id
ON DUPLICATE KEY UPDATE client_grant_type.owner_id = client_grant_type.owner_id;
--
-- Close the transaction and turn autocommit back on
--
COMMIT;
SET AUTOCOMMIT = 1;

448
perun-oidc-server-webapp/src/main/resources/db/mysql/mysql_database_tables.sql
View File

@ -3,380 +3,380 @@
--
CREATE TABLE IF NOT EXISTS access_token (
id BIGINT AUTO_INCREMENT PRIMARY KEY,
token_value VARCHAR(4096),
expiration TIMESTAMP NULL,
token_type VARCHAR(256),
refresh_token_id BIGINT,
client_id BIGINT,
auth_holder_id BIGINT,
approved_site_id BIGINT
id BIGINT AUTO_INCREMENT PRIMARY KEY,
token_value VARCHAR(4096),
expiration TIMESTAMP NULL,
token_type VARCHAR(256),
refresh_token_id BIGINT,
client_id BIGINT,
auth_holder_id BIGINT,
approved_site_id BIGINT
);
CREATE TABLE IF NOT EXISTS access_token_permissions (
access_token_id BIGINT NOT NULL,
permission_id BIGINT NOT NULL
access_token_id BIGINT NOT NULL,
permission_id BIGINT NOT NULL
);
CREATE TABLE IF NOT EXISTS address (
id BIGINT AUTO_INCREMENT PRIMARY KEY,
formatted VARCHAR(256),
street_address VARCHAR(256),
locality VARCHAR(256),
region VARCHAR(256),
postal_code VARCHAR(256),
country VARCHAR(256)
id BIGINT AUTO_INCREMENT PRIMARY KEY,
formatted VARCHAR(256),
street_address VARCHAR(256),
locality VARCHAR(256),
region VARCHAR(256),
postal_code VARCHAR(256),
country VARCHAR(256)
);
CREATE TABLE IF NOT EXISTS approved_site (
id BIGINT AUTO_INCREMENT PRIMARY KEY,
user_id VARCHAR(256),
client_id VARCHAR(256),
creation_date TIMESTAMP NULL,
access_date TIMESTAMP NULL,
timeout_date TIMESTAMP NULL,
whitelisted_site_id BIGINT
id BIGINT AUTO_INCREMENT PRIMARY KEY,
user_id VARCHAR(256),
client_id VARCHAR(256),
creation_date TIMESTAMP NULL,
access_date TIMESTAMP NULL,
timeout_date TIMESTAMP NULL,
whitelisted_site_id BIGINT
);
CREATE TABLE IF NOT EXISTS approved_site_scope (
owner_id BIGINT,
scope VARCHAR(256)
owner_id BIGINT,
scope VARCHAR(256)
);
CREATE TABLE IF NOT EXISTS authentication_holder (
id BIGINT AUTO_INCREMENT PRIMARY KEY,
user_auth_id BIGINT,
approved BOOLEAN,
redirect_uri VARCHAR(2048),
client_id VARCHAR(256)
id BIGINT AUTO_INCREMENT PRIMARY KEY,
user_auth_id BIGINT,
approved BOOLEAN,
redirect_uri VARCHAR(2048),
client_id VARCHAR(256)
);
CREATE TABLE IF NOT EXISTS authentication_holder_authority (
owner_id BIGINT,
authority VARCHAR(256)
owner_id BIGINT,
authority VARCHAR(256)
);
CREATE TABLE IF NOT EXISTS authentication_holder_resource_id (
owner_id BIGINT,
resource_id VARCHAR(2048)
owner_id BIGINT,
resource_id VARCHAR(2048)
);
CREATE TABLE IF NOT EXISTS authentication_holder_response_type (
owner_id BIGINT,
response_type VARCHAR(2048)
owner_id BIGINT,
response_type VARCHAR(2048)
);
CREATE TABLE IF NOT EXISTS authentication_holder_extension (
owner_id BIGINT,
extension VARCHAR(2048),
val VARCHAR(2048)
owner_id BIGINT,
extension VARCHAR(2048),
val VARCHAR(2048)
);
CREATE TABLE IF NOT EXISTS authentication_holder_scope (
owner_id BIGINT,
scope VARCHAR(2048)
owner_id BIGINT,
scope VARCHAR(2048)
);
CREATE TABLE IF NOT EXISTS authentication_holder_request_parameter (
owner_id BIGINT,
param VARCHAR(2048),
val VARCHAR(2048)
owner_id BIGINT,
param VARCHAR(2048),
val TEXT
);
CREATE TABLE IF NOT EXISTS saved_user_auth (
id BIGINT AUTO_INCREMENT PRIMARY KEY,
name VARCHAR(1024),
authenticated BOOLEAN,
source_class VARCHAR(2048)
id BIGINT AUTO_INCREMENT PRIMARY KEY,
name VARCHAR(1024),
authenticated BOOLEAN,
source_class VARCHAR(2048)
);
CREATE TABLE IF NOT EXISTS saved_user_auth_authority (
owner_id BIGINT,
authority VARCHAR(256)
owner_id BIGINT,
authority VARCHAR(256)
);
CREATE TABLE IF NOT EXISTS client_authority (
owner_id BIGINT,
authority VARCHAR(256)
owner_id BIGINT,
authority VARCHAR(256)
);
CREATE TABLE IF NOT EXISTS authorization_code (
id BIGINT AUTO_INCREMENT PRIMARY KEY,
code VARCHAR(256),
auth_holder_id BIGINT,
expiration TIMESTAMP NULL
id BIGINT AUTO_INCREMENT PRIMARY KEY,
code VARCHAR(256),
auth_holder_id BIGINT,
expiration TIMESTAMP NULL
);
CREATE TABLE IF NOT EXISTS client_grant_type (
owner_id BIGINT,
grant_type VARCHAR(2000)
owner_id BIGINT,
grant_type VARCHAR(2000)
);
CREATE TABLE IF NOT EXISTS client_response_type (
owner_id BIGINT,
response_type VARCHAR(2000)
owner_id BIGINT,
response_type VARCHAR(2000)
);
CREATE TABLE IF NOT EXISTS blacklisted_site (
id BIGINT AUTO_INCREMENT PRIMARY KEY,
uri VARCHAR(2048)
id BIGINT AUTO_INCREMENT PRIMARY KEY,
uri VARCHAR(2048)
);
CREATE TABLE IF NOT EXISTS client_details (
id BIGINT AUTO_INCREMENT PRIMARY KEY,
id BIGINT AUTO_INCREMENT PRIMARY KEY,
client_description VARCHAR(1024),
reuse_refresh_tokens BOOLEAN DEFAULT true NOT NULL,
dynamically_registered BOOLEAN DEFAULT false NOT NULL,
allow_introspection BOOLEAN DEFAULT false NOT NULL,
id_token_validity_seconds BIGINT DEFAULT 600 NOT NULL,
device_code_validity_seconds BIGINT,
client_id VARCHAR(256),
client_secret VARCHAR(2048),
access_token_validity_seconds BIGINT,
refresh_token_validity_seconds BIGINT,
application_type VARCHAR(256),
client_name VARCHAR(256),
token_endpoint_auth_method VARCHAR(256),
subject_type VARCHAR(256),
policy_uri VARCHAR(2048),
client_uri VARCHAR(2048),
tos_uri VARCHAR(2048),
client_description VARCHAR(1024),
reuse_refresh_tokens BOOLEAN DEFAULT true NOT NULL,
dynamically_registered BOOLEAN DEFAULT false NOT NULL,
allow_introspection BOOLEAN DEFAULT false NOT NULL,
id_token_validity_seconds BIGINT DEFAULT 600 NOT NULL,
device_code_validity_seconds BIGINT,
client_id VARCHAR(256),
client_secret VARCHAR(2048),
access_token_validity_seconds BIGINT,
refresh_token_validity_seconds BIGINT,
application_type VARCHAR(256),
client_name VARCHAR(256),
token_endpoint_auth_method VARCHAR(256),
subject_type VARCHAR(256),
policy_uri VARCHAR(2048),
client_uri VARCHAR(2048),
tos_uri VARCHAR(2048),
jwks_uri VARCHAR(2048),
jwks VARCHAR(8192),
sector_identifier_uri VARCHAR(2048),
request_object_signing_alg VARCHAR(256),
user_info_signed_response_alg VARCHAR(256),
user_info_encrypted_response_alg VARCHAR(256),
user_info_encrypted_response_enc VARCHAR(256),
id_token_signed_response_alg VARCHAR(256),
id_token_encrypted_response_alg VARCHAR(256),
id_token_encrypted_response_enc VARCHAR(256),
token_endpoint_auth_signing_alg VARCHAR(256),
default_max_age BIGINT,
require_auth_time BOOLEAN,
created_at TIMESTAMP NULL,
initiate_login_uri VARCHAR(2048),
clear_access_tokens_on_refresh BOOLEAN DEFAULT true NOT NULL,
software_statement VARCHAR(4096),
software_id VARCHAR(2048),
software_version VARCHAR(2048),
code_challenge_method VARCHAR(256),
UNIQUE (client_id)
jwks_uri VARCHAR(2048),
jwks VARCHAR(8192),
sector_identifier_uri VARCHAR(2048),
request_object_signing_alg VARCHAR(256),
user_info_signed_response_alg VARCHAR(256),
user_info_encrypted_response_alg VARCHAR(256),
user_info_encrypted_response_enc VARCHAR(256),
id_token_signed_response_alg VARCHAR(256),
id_token_encrypted_response_alg VARCHAR(256),
id_token_encrypted_response_enc VARCHAR(256),
token_endpoint_auth_signing_alg VARCHAR(256),
default_max_age BIGINT,
require_auth_time BOOLEAN,
created_at TIMESTAMP NULL,
initiate_login_uri VARCHAR(2048),
clear_access_tokens_on_refresh BOOLEAN DEFAULT true NOT NULL,
software_statement VARCHAR(4096),
software_id VARCHAR(2048),
software_version VARCHAR(2048),
code_challenge_method VARCHAR(256),
UNIQUE (client_id)
);
CREATE TABLE IF NOT EXISTS client_request_uri (
owner_id BIGINT,
request_uri VARCHAR(2000)
owner_id BIGINT,
request_uri VARCHAR(2000)
);
CREATE TABLE IF NOT EXISTS client_post_logout_redirect_uri (
owner_id BIGINT,
post_logout_redirect_uri VARCHAR(2000)
owner_id BIGINT,
post_logout_redirect_uri VARCHAR(2000)
);
CREATE TABLE IF NOT EXISTS client_default_acr_value (
owner_id BIGINT,
default_acr_value VARCHAR(2000)
owner_id BIGINT,
default_acr_value VARCHAR(2000)
);
CREATE TABLE IF NOT EXISTS client_contact (
owner_id BIGINT,
contact VARCHAR(256)
owner_id BIGINT,
contact VARCHAR(256)
);
CREATE TABLE IF NOT EXISTS client_redirect_uri (
owner_id BIGINT,
redirect_uri VARCHAR(2048)
owner_id BIGINT,
redirect_uri VARCHAR(2048)
);
CREATE TABLE IF NOT EXISTS client_claims_redirect_uri (
owner_id BIGINT,
redirect_uri VARCHAR(2048)
owner_id BIGINT,
redirect_uri VARCHAR(2048)
);
CREATE TABLE IF NOT EXISTS refresh_token (
id BIGINT AUTO_INCREMENT PRIMARY KEY,
token_value VARCHAR(4096),
expiration TIMESTAMP NULL,
auth_holder_id BIGINT,
client_id BIGINT
id BIGINT AUTO_INCREMENT PRIMARY KEY,
token_value VARCHAR(4096),
expiration TIMESTAMP NULL,
auth_holder_id BIGINT,
client_id BIGINT
);
CREATE TABLE IF NOT EXISTS client_resource (
owner_id BIGINT,
resource_id VARCHAR(256)
owner_id BIGINT,
resource_id VARCHAR(256)
);
CREATE TABLE IF NOT EXISTS client_scope (
owner_id BIGINT,
scope VARCHAR(2048)
owner_id BIGINT,
scope VARCHAR(2048)
);
CREATE TABLE IF NOT EXISTS token_scope (
owner_id BIGINT,
scope VARCHAR(2048)
owner_id BIGINT,
scope VARCHAR(2048)
);
CREATE TABLE IF NOT EXISTS system_scope (
id BIGINT AUTO_INCREMENT PRIMARY KEY,
scope VARCHAR(256) NOT NULL,
description VARCHAR(4096),
icon VARCHAR(256),
restricted BOOLEAN DEFAULT false NOT NULL,
default_scope BOOLEAN DEFAULT false NOT NULL,
UNIQUE (scope)
id BIGINT AUTO_INCREMENT PRIMARY KEY,
scope VARCHAR(256) NOT NULL,
description VARCHAR(4096),
icon VARCHAR(256),
restricted BOOLEAN DEFAULT false NOT NULL,
default_scope BOOLEAN DEFAULT false NOT NULL,
UNIQUE (scope)
);
CREATE TABLE IF NOT EXISTS user_info (
id BIGINT AUTO_INCREMENT PRIMARY KEY,
sub VARCHAR(256),
preferred_username VARCHAR(256),
name VARCHAR(256),
given_name VARCHAR(256),
family_name VARCHAR(256),
middle_name VARCHAR(256),
nickname VARCHAR(256),
profile VARCHAR(256),
picture VARCHAR(256),
website VARCHAR(256),
email VARCHAR(256),
email_verified BOOLEAN,
gender VARCHAR(256),
zone_info VARCHAR(256),
locale VARCHAR(256),
phone_number VARCHAR(256),
phone_number_verified BOOLEAN,
address_id VARCHAR(256),
updated_time VARCHAR(256),
birthdate VARCHAR(256),
src VARCHAR(4096)
id BIGINT AUTO_INCREMENT PRIMARY KEY,
sub VARCHAR(256),
preferred_username VARCHAR(256),
name VARCHAR(256),
given_name VARCHAR(256),
family_name VARCHAR(256),
middle_name VARCHAR(256),
nickname VARCHAR(256),
profile VARCHAR(256),
picture VARCHAR(256),
website VARCHAR(256),
email VARCHAR(256),
email_verified BOOLEAN,
gender VARCHAR(256),
zone_info VARCHAR(256),
locale VARCHAR(256),
phone_number VARCHAR(256),
phone_number_verified BOOLEAN,
address_id VARCHAR(256),
updated_time VARCHAR(256),
birthdate VARCHAR(256),
src VARCHAR(4096)
);
CREATE TABLE IF NOT EXISTS whitelisted_site (
id BIGINT AUTO_INCREMENT PRIMARY KEY,
creator_user_id VARCHAR(256),
client_id VARCHAR(256)
id BIGINT AUTO_INCREMENT PRIMARY KEY,
creator_user_id VARCHAR(256),
client_id VARCHAR(256)
);
CREATE TABLE IF NOT EXISTS whitelisted_site_scope (
owner_id BIGINT,
scope VARCHAR(256)
owner_id BIGINT,
scope VARCHAR(256)
);
CREATE TABLE IF NOT EXISTS pairwise_identifier (
id BIGINT AUTO_INCREMENT PRIMARY KEY,
identifier VARCHAR(256),
sub VARCHAR(256),
sector_identifier VARCHAR(2048)
id BIGINT AUTO_INCREMENT PRIMARY KEY,
identifier VARCHAR(256),
sub VARCHAR(256),
sector_identifier VARCHAR(2048)
);
CREATE TABLE IF NOT EXISTS resource_set (
id BIGINT AUTO_INCREMENT PRIMARY KEY,
name VARCHAR(1024) NOT NULL,
uri VARCHAR(1024),
icon_uri VARCHAR(1024),
rs_type VARCHAR(256),
owner VARCHAR(256) NOT NULL,
client_id VARCHAR(256)
id BIGINT AUTO_INCREMENT PRIMARY KEY,
name VARCHAR(1024) NOT NULL,
uri VARCHAR(1024),
icon_uri VARCHAR(1024),
rs_type VARCHAR(256),
owner VARCHAR(256) NOT NULL,
client_id VARCHAR(256)
);
CREATE TABLE IF NOT EXISTS resource_set_scope (
owner_id BIGINT NOT NULL,
scope VARCHAR(256) NOT NULL
owner_id BIGINT NOT NULL,
scope VARCHAR(256) NOT NULL
);
CREATE TABLE IF NOT EXISTS permission_ticket (
id BIGINT AUTO_INCREMENT PRIMARY KEY,
ticket VARCHAR(256) NOT NULL,
permission_id BIGINT NOT NULL,
expiration TIMESTAMP NULL
id BIGINT AUTO_INCREMENT PRIMARY KEY,
ticket VARCHAR(256) NOT NULL,
permission_id BIGINT NOT NULL,
expiration TIMESTAMP NULL
);
CREATE TABLE IF NOT EXISTS permission (
id BIGINT AUTO_INCREMENT PRIMARY KEY,
resource_set_id BIGINT
id BIGINT AUTO_INCREMENT PRIMARY KEY,
resource_set_id BIGINT
);
CREATE TABLE IF NOT EXISTS permission_scope (
owner_id BIGINT NOT NULL,
scope VARCHAR(256) NOT NULL
owner_id BIGINT NOT NULL,
scope VARCHAR(256) NOT NULL
);
CREATE TABLE IF NOT EXISTS claim (
id BIGINT AUTO_INCREMENT PRIMARY KEY,
name VARCHAR(256),
friendly_name VARCHAR(1024),
claim_type VARCHAR(1024),
claim_value VARCHAR(1024)
id BIGINT AUTO_INCREMENT PRIMARY KEY,
name VARCHAR(256),
friendly_name VARCHAR(1024),
claim_type VARCHAR(1024),
claim_value VARCHAR(1024)
);
CREATE TABLE IF NOT EXISTS claim_to_policy (
policy_id BIGINT NOT NULL,
claim_id BIGINT NOT NULL
policy_id BIGINT NOT NULL,
claim_id BIGINT NOT NULL
);
CREATE TABLE IF NOT EXISTS claim_to_permission_ticket (
permission_ticket_id BIGINT NOT NULL,
claim_id BIGINT NOT NULL
permission_ticket_id BIGINT NOT NULL,
claim_id BIGINT NOT NULL
);
CREATE TABLE IF NOT EXISTS policy (
id BIGINT AUTO_INCREMENT PRIMARY KEY,
name VARCHAR(1024),
resource_set_id BIGINT
id BIGINT AUTO_INCREMENT PRIMARY KEY,
name VARCHAR(1024),
resource_set_id BIGINT
);
CREATE TABLE IF NOT EXISTS policy_scope (
owner_id BIGINT NOT NULL,
scope VARCHAR(256) NOT NULL
owner_id BIGINT NOT NULL,
scope VARCHAR(256) NOT NULL
);
CREATE TABLE IF NOT EXISTS claim_token_format (
owner_id BIGINT NOT NULL,
claim_token_format VARCHAR(1024)
owner_id BIGINT NOT NULL,
claim_token_format VARCHAR(1024)
);
CREATE TABLE IF NOT EXISTS claim_issuer (
owner_id BIGINT NOT NULL,
issuer VARCHAR(1024)
owner_id BIGINT NOT NULL,
issuer VARCHAR(1024)
);
CREATE TABLE IF NOT EXISTS saved_registered_client (
id BIGINT AUTO_INCREMENT PRIMARY KEY,
issuer VARCHAR(1024),
registered_client VARCHAR(8192)
id BIGINT AUTO_INCREMENT PRIMARY KEY,
issuer VARCHAR(1024),
registered_client VARCHAR(8192)
);
CREATE TABLE IF NOT EXISTS device_code (
id BIGINT AUTO_INCREMENT PRIMARY KEY,
device_code VARCHAR(1024),
user_code VARCHAR(1024),
expiration TIMESTAMP NULL,
client_id VARCHAR(256),
approved BOOLEAN,
auth_holder_id BIGINT
id BIGINT AUTO_INCREMENT PRIMARY KEY,
device_code VARCHAR(1024),
user_code VARCHAR(1024),
expiration TIMESTAMP NULL,
client_id VARCHAR(256),
approved BOOLEAN,
auth_holder_id BIGINT
);
CREATE TABLE IF NOT EXISTS device_code_scope (
owner_id BIGINT NOT NULL,
scope VARCHAR(256) NOT NULL
owner_id BIGINT NOT NULL,
scope VARCHAR(256) NOT NULL
);
CREATE TABLE IF NOT EXISTS device_code_request_parameter (
owner_id BIGINT,
param VARCHAR(2048),
val VARCHAR(2048)
owner_id BIGINT,
param VARCHAR(2048),
val VARCHAR(2048)
);

31
perun-oidc-server-webapp/src/main/resources/db/mysql/scopes.sql
View File

@ -6,26 +6,35 @@ SET AUTOCOMMIT = 0;
START TRANSACTION;
CREATE TEMPORARY TABLE IF NOT EXISTS system_scope_TEMP (
scope VARCHAR(256),
description VARCHAR(4096),
icon VARCHAR(256),
restricted BOOLEAN,
default_scope BOOLEAN
);
--
-- Insert scope information into the temporary tables.
--
--
INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope) VALUES
('openid', 'log in using your identity', 'user', false, true),
('profile', 'basic profile information', 'list-alt', false, true),
('email', 'email address', 'envelope', false, true),
('address', 'physical address', 'home', false, true),
('phone', 'telephone number', 'bell', false, true),
('offline_access', 'offline access', 'time', false, false);
('openid', 'log in using your identity', 'user', false, true),
('profile', 'basic profile information', 'list-alt', false, true),
('email', 'email address', 'envelope', false, true),
('address', 'physical address', 'home', false, true),
('phone', 'telephone number', 'bell', false, true),
('offline_access', 'offline access', 'time', false, false),
('perun_api', 'calls to Perun API in your roles', 'cog', true, false);
--
-- Merge the temporary scopes safely into the database. This is a two-step process to keep scopes from being created on every startup with a persistent store.
--
INSERT INTO system_scope (scope, description, icon, restricted, default_scope, structured, structured_param_description)
SELECT scope, description, icon, restricted, default_scope, structured, structured_param_description FROM system_scope_TEMP
ON DUPLICATE KEY UPDATE system_scope.scope = system_scope.scope;
INSERT INTO system_scope (scope, description, icon, restricted, default_scope)
SELECT scope, description, icon, restricted, default_scope FROM system_scope_TEMP
ON DUPLICATE KEY UPDATE system_scope.scope = system_scope.scope;
COMMIT;
SET AUTOCOMMIT = 1;

14
perun-oidc-server-webapp/src/main/resources/db/mysql/security-schema.sql
View File

@ -1,14 +0,0 @@
--
-- Tables for Spring Security's user details service
--
create table IF NOT EXISTS users(
username varchar(50) not null primary key,
password varchar(50) not null,
enabled boolean not null);
create table IF NOT EXISTS authorities (
username varchar(50) not null,
authority varchar(50) not null,
constraint fk_authorities_users foreign key(username) references users(username),
constraint ix_authority unique (username,authority));

6
perun-oidc-server-webapp/src/main/resources/db/mysql/shedlock.sql Normal file
View File

@ -0,0 +1,6 @@
CREATE TABLE shedlock (
name VARCHAR(64) PRIMARY KEY,
lock_until TIMESTAMP(3) NULL,
locked_at TIMESTAMP(3) NULL,
locked_by VARCHAR(255)
);

52
perun-oidc-server-webapp/src/main/resources/db/mysql/users.sql
View File

@ -1,52 +0,0 @@
--
-- Turn off autocommit and start a transaction so that we can use the temp tables
--
SET AUTOCOMMIT = 0;
START TRANSACTION;
--
-- Insert user information into the temporary tables. To add users to the HSQL database, edit things here.
--
INSERT INTO users_TEMP (username, password, enabled) VALUES
('admin','password',true),
('user','password',true);
INSERT INTO authorities_TEMP (username, authority) VALUES
('admin','ROLE_ADMIN'),
('admin','ROLE_USER'),
('user','ROLE_USER');
-- By default, the username column here has to match the username column in the users table, above
INSERT INTO user_info_TEMP (sub, preferred_username, name, email, email_verified) VALUES
('90342.ASDFJWFA','admin','Demo Admin','admin@example.com', true),
('01921.FLANRJQW','user','Demo User','user@example.com', true);
--
-- Merge the temporary users safely into the database. This is a two-step process to keep users from being created on every startup with a persistent store.
--
INSERT INTO users (username, password, enabled)
SELECT username, password, enabled FROM users_TEMP
ON DUPLICATE KEY UPDATE users.username = users.username;
INSERT INTO authorities (username,authority)
SELECT username, authority FROM authorities_TEMP
ON DUPLICATE KEY UPDATE authorities.username = authorities.username;
INSERT INTO user_info (sub, preferred_username, name, email, email_verified)
SELECT sub, preferred_username, name, email, email_verified FROM user_info_TEMP
ON DUPLICATE KEY UPDATE user_info.preferred_username = user_info.preferred_username;
--
-- Close the transaction and turn autocommit back on
--
COMMIT;
SET AUTOCOMMIT = 1;

51
perun-oidc-server-webapp/src/main/resources/db/oracle/clients_oracle.sql
View File

@ -1,51 +0,0 @@
--
-- Insert client information into the temporary tables. To add clients to the Oracle database, edit things here.
--
INSERT INTO client_details_TEMP (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) VALUES
('client', 'secret', 'Test Client', 0, null, 3600, 600, 1);
INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'openid');
INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'profile');
INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'email');
INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'address');
INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'phone');
INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'offline_access');
INSERT INTO client_redirect_uri_TEMP (owner_id, redirect_uri) VALUES ('client', 'http://localhost/');
INSERT INTO client_redirect_uri_TEMP (owner_id, redirect_uri) VALUES ('client', 'http://localhost:8080/');
INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('client', 'authorization_code');
INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('client', 'urn:ietf:params:oauth:grant_type:redelegate');
INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('client', 'implicit');
INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('client', 'refresh_token');
--
-- Merge the temporary clients safely into the database. This is a two-step process to keep clients from being created on every startup with a persistent store.
--
MERGE INTO client_details
USING (SELECT client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection FROM client_details_TEMP) vals
ON (vals.client_id = client_details.client_id)
WHEN NOT MATCHED THEN
INSERT (id, client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds,
id_token_validity_seconds, allow_introspection) VALUES(client_details_seq.nextval, vals.client_id, vals.client_secret, vals.client_name, vals.dynamically_registered,
vals.refresh_token_validity_seconds, vals.access_token_validity_seconds, vals.id_token_validity_seconds, vals.allow_introspection);
MERGE INTO client_scope
USING (SELECT id, scope FROM client_scope_TEMP, client_details WHERE client_details.client_id = client_scope_TEMP.owner_id) vals
ON (vals.id = client_scope.owner_id AND vals.scope = client_scope.scope)
WHEN NOT MATCHED THEN
INSERT (owner_id, scope) values (vals.id, vals.scope);
MERGE INTO client_redirect_uri
USING (SELECT id, redirect_uri FROM client_redirect_uri_TEMP, client_details WHERE client_details.client_id = client_redirect_uri_TEMP.owner_id) vals
ON (vals.id = client_redirect_uri.owner_id AND vals.redirect_uri = client_redirect_uri.redirect_uri)
WHEN NOT MATCHED THEN
INSERT (owner_id, redirect_uri) values (vals.id, vals.redirect_uri);
MERGE INTO client_grant_type
USING (SELECT id, grant_type FROM client_grant_type_TEMP, client_details WHERE client_details.client_id = client_grant_type_TEMP.owner_id) vals
ON (vals.id = client_grant_type.owner_id AND vals.grant_type = client_grant_type.grant_type)
WHEN NOT MATCHED THEN
INSERT (owner_id, grant_type) values (vals.id, vals.grant_type);

15
perun-oidc-server-webapp/src/main/resources/db/oracle/create_db-user
View File

@ -1,15 +0,0 @@
drop user oauth cascade;
drop tablespace data_ts INCLUDING CONTENTS AND DATAFILES;
drop tablespace temp_ts INCLUDING CONTENTS AND DATAFILES;
CREATE TABLESPACE data_ts DATAFILE 'data_ts.dat' SIZE 40M ONLINE;
CREATE TEMPORARY TABLESPACE temp_ts TEMPFILE 'temp_ts.dbf' SIZE 5M AUTOEXTEND ON;
create user oauth identified by test DEFAULT TABLESPACE data_ts QUOTA 500K ON data_ts TEMPORARY TABLESPACE temp_ts;
GRANT CONNECT TO oauth;
GRANT UNLIMITED TABLESPACE TO oauth;
grant create session to oauth;
grant create table to oauth;
GRANT CREATE TABLESPACE TO oauth;
GRANT CREATE VIEW TO oauth;
GRANT CREATE ANY INDEX TO oauth;
GRANT CREATE SEQUENCE TO oauth;
GRANT CREATE SYNONYM TO oauth;

281
perun-oidc-server-webapp/src/main/resources/db/oracle/entity-mappings_oracle.xml
View File

@ -1,281 +0,0 @@
<!--
Copyright 2018 The MIT Internet Trust Consortium
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<entity-mappings xmlns="http://xmlns.jcp.org/xml/ns/persistence/orm"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/persistence/orm http://xmlns.jcp.org/xml/ns/persistence/orm_2_0.xsd"
version="2.1">
<description>OpenID Connect Server entities</description>
<entity class="cz.muni.ics.oauth2.model.AuthenticationHolderEntity" name="AuthenticationHolderEntity">
<attributes>
<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
<id name="id">
<generated-value strategy="SEQUENCE" generator="AuthenticationHolderSequenceGenerator"/>
<sequence-generator name="AuthenticationHolderSequenceGenerator" sequence-name="authentication_holder_seq" allocation-size="1"/>
<column name="id"/>
</id>
<!-- table name too long: authentication_holder_authority -->
<element-collection fetch="EAGER" name="authorities">
<collection-table name="auth_holder_authority">
<join-column name="owner_id"/>
</collection-table>
<convert converter="cz.muni.ics.oauth2.model.convert.SimpleGrantedAuthorityStringConverter"/>
<column name="authority"/>
</element-collection>
<!-- table name too long: authentication_holder_resource_id -->
<element-collection fetch="EAGER" name="resourceIds">
<collection-table name="auth_holder_resource_id">
<join-column name="owner_id"/>
</collection-table>
<column name="resource_id"/>
</element-collection>
<!-- table name too long: authentication_holder_response_type -->
<element-collection fetch="EAGER" name="responseTypes">
<collection-table name="auth_holder_response_type">
<join-column name="owner_id"/>
</collection-table>
<column name="response_type"/>
</element-collection>
<!-- table name too long: authentication_holder_extension -->
<element-collection fetch="EAGER" name="extensions">
<collection-table name="auth_holder_extension">
<join-column name="owner_id"/>
</collection-table>
<column name="val"/>
<map-key-column name="extension"/>
<convert converter="cz.muni.ics.oauth2.model.convert.SerializableStringConverter"/>
</element-collection>
<!-- table name too long: authentication_holder_request_parameter -->
<element-collection fetch="EAGER" name="requestParameters">
<collection-table name="auth_holder_request_parameter">
<join-column name="owner_id"/>
</collection-table>
<column name="val"/>
<map-key-column name="param"/>
</element-collection>
</attributes>
</entity>
<entity class="cz.muni.ics.oauth2.model.AuthorizationCodeEntity" name="AuthorizationCodeEntity">
<attributes>
<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
<id name="id">
<generated-value strategy="SEQUENCE" generator="AuthorizationCodeSequenceGenerator"/>
<sequence-generator name="AuthorizationCodeSequenceGenerator" sequence-name="authorization_code_seq" allocation-size="1"/>
<column name="id"/>
</id>
</attributes>
</entity>
<entity class="cz.muni.ics.oauth2.model.ClientDetailsEntity" name="ClientDetailsEntity">
<attributes>
<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
<id name="id">
<generated-value strategy="SEQUENCE" generator="ClientDetailsSequenceGenerator"/>
<sequence-generator name="ClientDetailsSequenceGenerator" sequence-name="client_details_seq" allocation-size="1"/>
<column name="id"/>
</id>
<!-- column name too long: user_info_encrypted_response_alg -->
<basic name="userInfoEncryptedResponseAlg">
<column name="user_info_encrypted_resp_alg"/>
<convert converter="cz.muni.ics.oauth2.model.convert.JWEAlgorithmStringConverter"/>
</basic>
<!-- column name too long: user_info_encrypted_response_enc -->
<basic name="userInfoEncryptedResponseEnc">
<column name="user_info_encrypted_resp_enc"/>
<convert converter="cz.muni.ics.oauth2.model.convert.JWEEncryptionMethodStringConverter"/>
</basic>
<!-- column name too long: id_token_encrypted_response_alg -->
<basic name="idTokenEncryptedResponseAlg">
<column name="id_token_encrypted_resp_alg"/>
<convert converter="cz.muni.ics.oauth2.model.convert.JWEAlgorithmStringConverter"/>
</basic>
<!-- column name too long: id_token_encrypted_response_enc -->
<basic name="idTokenEncryptedResponseEnc">
<column name="id_token_encrypted_resp_enc"/>
<convert converter="cz.muni.ics.oauth2.model.convert.JWEEncryptionMethodStringConverter"/>
</basic>
<!-- column name too long: token_endpoint_auth_signing_alg -->
<basic name="tokenEndpointAuthSigningAlg">
<column name="token_endpoint_auth_sign_alg"/>
<convert converter="cz.muni.ics.oauth2.model.convert.JWSAlgorithmStringConverter"/>
</basic>
<!-- table name too long: client_post_logout_redirect_uri -->
<element-collection fetch="EAGER" name="postLogoutRedirectUris">
<collection-table name="client_post_logout_redir_uri">
<join-column name="owner_id"/>
</collection-table>
<column name="post_logout_redirect_uri"/>
</element-collection>
</attributes>
</entity>
<entity class="cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity" name="OAuth2AccessTokenEntity">
<attributes>
<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
<id name="id">
<generated-value strategy="SEQUENCE" generator="OAuth2AccessTokenSequenceGenerator"/>
<sequence-generator name="OAuth2AccessTokenSequenceGenerator" sequence-name="access_token_seq" allocation-size="1"/>
<column name="id"/>
</id>
</attributes>
</entity>
<entity class="cz.muni.ics.oauth2.model.OAuth2RefreshTokenEntity" name="OAuth2RefreshTokenEntity">
<attributes>
<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
<id name="id">
<generated-value strategy="SEQUENCE" generator="OAuth2RefreshTokenSequenceGenerator"/>
<sequence-generator name="OAuth2RefreshTokenSequenceGenerator" sequence-name="refresh_token_seq" allocation-size="1"/>
<column name="id"/>
</id>
</attributes>
</entity>
<entity class="cz.muni.ics.oauth2.model.SavedUserAuthentication" name="SavedUserAuthentication">
<attributes>
<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
<id name="id">
<generated-value strategy="SEQUENCE" generator="SavedUserAuthenticationSequenceGenerator"/>
<sequence-generator name="SavedUserAuthenticationSequenceGenerator" sequence-name="saved_user_auth_seq" allocation-size="1"/>
<column name="id"/>
</id>
</attributes>
</entity>
<entity class="cz.muni.ics.oauth2.model.SystemScope" name="SystemScope">
<attributes>
<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
<id name="id">
<generated-value strategy="SEQUENCE" generator="SystemScopeSequenceGenerator"/>
<sequence-generator name="SystemScopeSequenceGenerator" sequence-name="system_scope_seq" allocation-size="1"/>
<column name="id"/>
</id>
</attributes>
</entity>
<entity class="cz.muni.ics.openid.connect.model.ApprovedSite" name="ApprovedSite">
<attributes>
<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
<id name="id">
<generated-value strategy="SEQUENCE" generator="ApprovedSiteSequenceGenerator"/>
<sequence-generator name="ApprovedSiteSequenceGenerator" sequence-name="approved_site_seq" allocation-size="1"/>
<column name="id"/>
</id>
</attributes>
</entity>
<entity class="cz.muni.ics.openid.connect.model.BlacklistedSite" name="BlacklistedSite">
<attributes>
<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
<id name="id">
<generated-value strategy="SEQUENCE" generator="BlacklistedSiteSequenceGenerator"/>
<sequence-generator name="BlacklistedSiteSequenceGenerator" sequence-name="blacklisted_site_seq" allocation-size="1"/>
<column name="id"/>
</id>
</attributes>
</entity>
<entity class="cz.muni.ics.openid.connect.model.PairwiseIdentifier" name="PairwiseIdentifier">
<attributes>
<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
<id name="id">
<generated-value strategy="SEQUENCE" generator="PairwiseIdentifierSequenceGenerator"/>
<sequence-generator name="PairwiseIdentifierSequenceGenerator" sequence-name="pairwise_identifier_seq" allocation-size="1"/>
<column name="id"/>
</id>
</attributes>
</entity>
<entity class="cz.muni.ics.openid.connect.model.WhitelistedSite" name="WhitelistedSite">
<attributes>
<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
<id name="id">
<generated-value strategy="SEQUENCE" generator="WhitelistedSiteSequenceGenerator"/>
<sequence-generator name="WhitelistedSiteSequenceGenerator" sequence-name="whitelisted_site_seq" allocation-size="1"/>
<column name="id"/>
</id>
</attributes>
</entity>
<entity class="cz.muni.ics.uma.model.Claim" name="Claim">
<attributes>
<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
<id name="id">
<generated-value strategy="SEQUENCE" generator="ClaimSequenceGenerator"/>
<sequence-generator name="ClaimSequenceGenerator" sequence-name="claim_seq" allocation-size="1"/>
<column name="id"/>
</id>
</attributes>
</entity>
<entity class="cz.muni.ics.uma.model.Permission" name="Permission">
<attributes>
<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
<id name="id">
<generated-value strategy="SEQUENCE" generator="PermissionSequenceGenerator"/>
<sequence-generator name="PermissionSequenceGenerator" sequence-name="permission_seq" allocation-size="1"/>
<column name="id"/>
</id>
</attributes>
</entity>
<entity class="cz.muni.ics.uma.model.PermissionTicket" name="PermissionTicket">
<attributes>
<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
<id name="id">
<generated-value strategy="SEQUENCE" generator="PermissionTicketSequenceGenerator"/>
<sequence-generator name="PermissionTicketSequenceGenerator" sequence-name="permission_ticket_seq" allocation-size="1"/>
<column name="id"/>
</id>
</attributes>
</entity>
<entity class="cz.muni.ics.uma.model.Policy" name="Policy">
<attributes>
<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
<id name="id">
<generated-value strategy="SEQUENCE" generator="PolicySequenceGenerator"/>
<sequence-generator name="PolicySequenceGenerator" sequence-name="policy_seq" allocation-size="1"/>
<column name="id"/>
</id>
</attributes>
</entity>
<entity class="cz.muni.ics.uma.model.ResourceSet" name="ResourceSet">
<attributes>
<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
<id name="id">
<generated-value strategy="SEQUENCE" generator="ResourceSetSequenceGenerator"/>
<sequence-generator name="ResourceSetSequenceGenerator" sequence-name="resource_set_seq" allocation-size="1"/>
<column name="id"/>
</id>
</attributes>
</entity>
<entity class="cz.muni.ics.uma.model.SavedRegisteredClient" name="SavedRegisteredClient">
<attributes>
<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
<id name="id">
<generated-value strategy="SEQUENCE" generator="SavedRegisteredClientSequenceGenerator"/>
<sequence-generator name="SavedRegisteredClientSequenceGenerator" sequence-name="saved_registered_client_seq" allocation-size="1"/>
<column name="id"/>
</id>
</attributes>
</entity>
</entity-mappings>

77
perun-oidc-server-webapp/src/main/resources/db/oracle/loading_temp_tables_oracle.sql
View File

@ -1,77 +0,0 @@
--
-- Temporary tables used during the bootstrapping process to safely load users and clients.
-- These are not needed if you're not using the users.sql/clients.sql files to bootstrap the database.
--
CREATE GLOBAL TEMPORARY TABLE authorities_TEMP (
username varchar2(50) not null,
authority varchar2(50) not null,
constraint ix_authority_TEMP unique (username,authority)
) ON COMMIT PRESERVE ROWS;
CREATE GLOBAL TEMPORARY TABLE users_TEMP (
username VARCHAR2(50) not null primary key,
password VARCHAR2(50) not null,
enabled NUMBER(1) not null
) ON COMMIT PRESERVE ROWS;
CREATE GLOBAL TEMPORARY TABLE user_info_TEMP (
sub VARCHAR2(256) not null primary key,
preferred_username VARCHAR2(256),
name VARCHAR2(256),
given_name VARCHAR2(256),
family_name VARCHAR2(256),
middle_name VARCHAR2(256),
nickname VARCHAR2(256),
profile VARCHAR2(256),
picture VARCHAR2(256),
website VARCHAR2(256),
email VARCHAR2(256),
email_verified NUMBER(1),
gender VARCHAR2(256),
zone_info VARCHAR2(256),
locale VARCHAR2(256),
phone_number VARCHAR2(256),
address_id VARCHAR2(256),
updated_time VARCHAR2(256),
birthdate VARCHAR2(256)
) ON COMMIT PRESERVE ROWS;
CREATE GLOBAL TEMPORARY TABLE client_details_TEMP (
client_description VARCHAR2(256),
dynamically_registered NUMBER(1),
id_token_validity_seconds NUMBER(19),
client_id VARCHAR2(256),
client_secret VARCHAR2(2048),
access_token_validity_seconds NUMBER(19),
refresh_token_validity_seconds NUMBER(19),
allow_introspection NUMBER(1),
client_name VARCHAR2(256)
) ON COMMIT PRESERVE ROWS;
CREATE GLOBAL TEMPORARY TABLE client_scope_TEMP (
owner_id VARCHAR2(256),
scope VARCHAR2(2048)
) ON COMMIT PRESERVE ROWS;
CREATE GLOBAL TEMPORARY TABLE client_redirect_uri_TEMP (
owner_id VARCHAR2(256),
redirect_uri VARCHAR2(2048)
) ON COMMIT PRESERVE ROWS;
CREATE GLOBAL TEMPORARY TABLE client_grant_type_TEMP (
owner_id VARCHAR2(256),
grant_type VARCHAR2(2000)
) ON COMMIT PRESERVE ROWS;
CREATE GLOBAL TEMPORARY TABLE system_scope_TEMP (
scope VARCHAR2(256),
description VARCHAR2(4000),
icon VARCHAR2(256),
restricted NUMBER(1),
default_scope NUMBER(1),
structured NUMBER(1),
structured_param_description VARCHAR2(256)
) ON COMMIT PRESERVE ROWS;

18
perun-oidc-server-webapp/src/main/resources/db/oracle/oracle_database_index.sql
View File

@ -1,18 +0,0 @@
--
-- Indexes for Oracle
--
CREATE INDEX at_tv_idx ON access_token(token_value);
CREATE INDEX ts_oi_idx ON token_scope(owner_id);
CREATE INDEX at_exp_idx ON access_token(expiration);
CREATE INDEX rf_ahi_idx ON refresh_token(auth_holder_id);
CREATE INDEX rf_tv_idx ON refresh_token(token_value);
CREATE INDEX at_ahi_idx ON access_token(auth_holder_id);
CREATE INDEX aha_oi_idx ON authentication_holder_authority(owner_id);
CREATE INDEX ahe_oi_idx ON authentication_holder_extension(owner_id);
CREATE INDEX ahrp_oi_idx ON authentication_holder_request_parameter(owner_id);
CREATE INDEX ahri_oi_idx ON authentication_holder_resource_id(owner_id);
CREATE INDEX ahrt_oi_idx ON authentication_holder_response_type(owner_id);
CREATE INDEX ahs_oi_idx ON authentication_holder_scope(owner_id);
CREATE INDEX ac_ahi_idx ON authorization_code(auth_holder_id);
CREATE INDEX suaa_oi_idx ON saved_user_auth_authority(owner_id);

416
perun-oidc-server-webapp/src/main/resources/db/oracle/oracle_database_tables.sql
View File

@ -1,416 +0,0 @@
--
-- Tables for OIDC Server functionality, Oracle
--
CREATE TABLE access_token (
id NUMBER(19) NOT NULL PRIMARY KEY,
token_value VARCHAR2(4000),
expiration TIMESTAMP,
token_type VARCHAR2(256),
refresh_token_id NUMBER(19),
client_id NUMBER(19),
auth_holder_id NUMBER(19),
approved_site_id NUMBER(19)
);
CREATE SEQUENCE access_token_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
CREATE TABLE access_token_permissions (
access_token_id NUMBER(19) NOT NULL,
permission_id NUMBER(19) NOT NULL
);
CREATE TABLE address (
id NUMBER(19) NOT NULL PRIMARY KEY,
formatted VARCHAR2(256),
street_address VARCHAR2(256),
locality VARCHAR2(256),
region VARCHAR2(256),
postal_code VARCHAR2(256),
country VARCHAR2(256)
);
CREATE SEQUENCE address_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
CREATE TABLE approved_site (
id NUMBER(19) NOT NULL PRIMARY KEY,
user_id VARCHAR2(256),
client_id VARCHAR2(256),
creation_date TIMESTAMP,
access_date TIMESTAMP,
timeout_date TIMESTAMP,
whitelisted_site_id NUMBER(19)
);
CREATE SEQUENCE approved_site_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
CREATE TABLE approved_site_scope (
owner_id NUMBER(19),
scope VARCHAR2(256)
);
CREATE TABLE authentication_holder (
id NUMBER(19) NOT NULL PRIMARY KEY,
user_auth_id NUMBER(19),
approved NUMBER(1),
redirect_uri VARCHAR2(2048),
client_id VARCHAR2(256),
CONSTRAINT approved_check CHECK (approved in (1,0))
);
CREATE SEQUENCE authentication_holder_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
CREATE TABLE auth_holder_authority (
owner_id NUMBER(19),
authority VARCHAR2(256)
);
CREATE TABLE auth_holder_resource_id (
owner_id NUMBER(19),
resource_id VARCHAR2(2048)
);
CREATE TABLE auth_holder_response_type (
owner_id NUMBER(19),
response_type VARCHAR2(2048)
);
CREATE TABLE auth_holder_extension (
owner_id NUMBER(19),
extension VARCHAR2(2048),
val VARCHAR2(2048)
);
CREATE TABLE authentication_holder_scope (
owner_id NUMBER(19),
scope VARCHAR2(2048)
);
CREATE TABLE auth_holder_request_parameter (
owner_id NUMBER(19),
param VARCHAR2(2048),
val VARCHAR2(2048)
);
CREATE TABLE saved_user_auth (
id NUMBER(19) NOT NULL PRIMARY KEY,
name VARCHAR2(1024),
authenticated NUMBER(1),
source_class VARCHAR2(2048),
CONSTRAINT authenticated_check CHECK (authenticated in (1,0))
);
CREATE SEQUENCE saved_user_auth_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
CREATE TABLE saved_user_auth_authority (
owner_id NUMBER(19),
authority VARCHAR2(256)
);
CREATE TABLE client_authority (
owner_id NUMBER(19),
authority VARCHAR2(256)
);
CREATE TABLE authorization_code (
id NUMBER(19) NOT NULL PRIMARY KEY,
code VARCHAR2(256),
auth_holder_id NUMBER(19),
expiration TIMESTAMP
);
CREATE SEQUENCE authorization_code_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
CREATE TABLE client_grant_type (
owner_id NUMBER(19),
grant_type VARCHAR2(2000)
);
CREATE TABLE client_response_type (
owner_id NUMBER(19),
response_type VARCHAR2(2000)
);
CREATE TABLE blacklisted_site (
id NUMBER(19) NOT NULL PRIMARY KEY,
uri VARCHAR2(2048)
);
CREATE SEQUENCE blacklisted_site_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
CREATE TABLE client_details (
id NUMBER(19) NOT NULL PRIMARY KEY,
client_description VARCHAR2(1024),
reuse_refresh_tokens NUMBER(1) DEFAULT 1 NOT NULL,
dynamically_registered NUMBER(1) DEFAULT 0 NOT NULL,
allow_introspection NUMBER(1) DEFAULT 0 NOT NULL,
id_token_validity_seconds NUMBER(19) DEFAULT 600 NOT NULL,
client_id VARCHAR2(256),
client_secret VARCHAR2(2048),
access_token_validity_seconds NUMBER(19),
refresh_token_validity_seconds NUMBER(19),
device_code_validity_seconds NUMBER(19),
application_type VARCHAR2(256),
client_name VARCHAR2(256),
token_endpoint_auth_method VARCHAR2(256),
subject_type VARCHAR2(256),
policy_uri VARCHAR2(2048),
client_uri VARCHAR2(2048),
tos_uri VARCHAR2(2048),
jwks_uri VARCHAR2(2048),
jwks CLOB,
sector_identifier_uri VARCHAR2(2048),
request_object_signing_alg VARCHAR2(256),
user_info_signed_response_alg VARCHAR2(256),
user_info_encrypted_resp_alg VARCHAR2(256),
user_info_encrypted_resp_enc VARCHAR2(256),
id_token_signed_response_alg VARCHAR2(256),
id_token_encrypted_resp_alg VARCHAR2(256),
id_token_encrypted_resp_enc VARCHAR2(256),
token_endpoint_auth_sign_alg VARCHAR2(256),
default_max_age NUMBER(19),
require_auth_time NUMBER(1),
created_at TIMESTAMP,
initiate_login_uri VARCHAR2(2048),
clear_access_tokens_on_refresh NUMBER(1) DEFAULT 1 NOT NULL,
software_statement VARCHAR(4096),
software_id VARCHAR(2048),
software_statement VARCHAR2(4000),
code_challenge_method VARCHAR2(256),
CONSTRAINT client_details_unique UNIQUE (client_id),
CONSTRAINT reuse_refresh_tokens_check CHECK (reuse_refresh_tokens in (1,0)),
CONSTRAINT dynamically_registered_check CHECK (dynamically_registered in (1,0)),
CONSTRAINT allow_introspection_check CHECK (allow_introspection in (1,0)),
CONSTRAINT require_auth_time_check CHECK (require_auth_time in (1,0)),
CONSTRAINT clear_acc_tok_on_refresh_check CHECK (clear_access_tokens_on_refresh in (1,0))
);
CREATE SEQUENCE client_details_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
CREATE TABLE client_request_uri (
owner_id NUMBER(19),
request_uri VARCHAR2(2000)
);
CREATE TABLE client_post_logout_redir_uri (
owner_id NUMBER(19),
post_logout_redirect_uri VARCHAR2(2000)
);
CREATE TABLE client_default_acr_value (
owner_id NUMBER(19),
default_acr_value VARCHAR2(2000)
);
CREATE TABLE client_contact (
owner_id NUMBER(19),
contact VARCHAR2(256)
);
CREATE TABLE client_redirect_uri (
owner_id NUMBER(19),
redirect_uri VARCHAR2(2048)
);
CREATE TABLE client_claims_redirect_uri (
owner_id NUMBER(19),
redirect_uri VARCHAR2(2048)
);
CREATE TABLE refresh_token (
id NUMBER(19) NOT NULL PRIMARY KEY,
token_value VARCHAR2(4000),
expiration TIMESTAMP,
auth_holder_id NUMBER(19),
client_id NUMBER(19)
);
CREATE SEQUENCE refresh_token_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
CREATE TABLE client_resource (
owner_id NUMBER(19),
resource_id VARCHAR2(256)
);
CREATE TABLE client_scope (
owner_id NUMBER(19),
scope VARCHAR2(2048)
);
CREATE TABLE token_scope (
owner_id NUMBER(19),
scope VARCHAR2(2048)
);
CREATE TABLE system_scope (
id NUMBER(19) NOT NULL PRIMARY KEY,
scope VARCHAR2(256) NOT NULL,
description VARCHAR2(4000),
icon VARCHAR2(256),
restricted NUMBER(1) DEFAULT 0 NOT NULL,
default_scope NUMBER(1) DEFAULT 0 NOT NULL
CONSTRAINT system_scope_unique UNIQUE (scope),
CONSTRAINT default_scope_check CHECK (default_scope in (1,0)),
CONSTRAINT restricted_check CHECK (restricted in (1,0))
);
CREATE SEQUENCE system_scope_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
CREATE TABLE user_info (
id NUMBER(19) NOT NULL PRIMARY KEY,
sub VARCHAR2(256),
preferred_username VARCHAR2(256),
name VARCHAR2(256),
given_name VARCHAR2(256),
family_name VARCHAR2(256),
middle_name VARCHAR2(256),
nickname VARCHAR2(256),
profile VARCHAR2(256),
picture VARCHAR2(256),
website VARCHAR2(256),
email VARCHAR2(256),
email_verified NUMBER(1),
gender VARCHAR2(256),
zone_info VARCHAR2(256),
locale VARCHAR2(256),
phone_number VARCHAR2(256),
phone_number_verified NUMBER(1),
address_id VARCHAR2(256),
updated_time VARCHAR2(256),
birthdate VARCHAR2(256),
src VARCHAR2(4000),
CONSTRAINT email_verified_check CHECK (email_verified in (1,0)),
CONSTRAINT phone_number_verified_check CHECK (phone_number_verified in (1,0))
);
CREATE SEQUENCE user_info_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
CREATE TABLE whitelisted_site (
id NUMBER(19) NOT NULL PRIMARY KEY,
creator_user_id VARCHAR2(256),
client_id VARCHAR2(256)
);
CREATE SEQUENCE whitelisted_site_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
CREATE TABLE whitelisted_site_scope (
owner_id NUMBER(19),
scope VARCHAR2(256)
);
CREATE TABLE pairwise_identifier (
id NUMBER(19) NOT NULL PRIMARY KEY,
identifier VARCHAR2(256),
sub VARCHAR2(256),
sector_identifier VARCHAR2(2048)
);
CREATE SEQUENCE pairwise_identifier_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
CREATE TABLE resource_set (
id NUMBER(19) NOT NULL PRIMARY KEY,
name VARCHAR2(1024) NOT NULL,
uri VARCHAR2(1024),
icon_uri VARCHAR2(1024),
rs_type VARCHAR2(256),
owner VARCHAR2(256) NOT NULL,
client_id VARCHAR2(256)
);
CREATE SEQUENCE resource_set_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
CREATE TABLE resource_set_scope (
owner_id NUMBER(19) NOT NULL,
scope VARCHAR2(256) NOT NULL
);
CREATE TABLE permission_ticket (
id NUMBER(19) NOT NULL PRIMARY KEY,
ticket VARCHAR2(256) NOT NULL,
permission_id NUMBER(19) NOT NULL,
expiration TIMESTAMP
);
CREATE SEQUENCE permission_ticket_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
CREATE TABLE permission (
id NUMBER(19) NOT NULL PRIMARY KEY,
resource_set_id NUMBER(19)
);
CREATE SEQUENCE permission_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
CREATE TABLE permission_scope (
owner_id NUMBER(19) NOT NULL,
scope VARCHAR2(256) NOT NULL
);
CREATE TABLE claim (
id NUMBER(19) NOT NULL PRIMARY KEY,
name VARCHAR2(256),
friendly_name VARCHAR2(1024),
claim_type VARCHAR2(1024),
claim_value VARCHAR2(1024)
);
CREATE SEQUENCE claim_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
CREATE TABLE claim_to_policy (
policy_id NUMBER(19) NOT NULL,
claim_id NUMBER(19) NOT NULL
);
CREATE TABLE claim_to_permission_ticket (
permission_ticket_id NUMBER(19) NOT NULL,
claim_id NUMBER(19) NOT NULL
);
CREATE TABLE policy (
id NUMBER(19) NOT NULL PRIMARY KEY,
name VARCHAR2(1024),
resource_set_id NUMBER(19)
);
CREATE SEQUENCE policy_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
CREATE TABLE policy_scope (
owner_id NUMBER(19) NOT NULL,
scope VARCHAR2(256) NOT NULL
);
CREATE TABLE claim_token_format (
owner_id NUMBER(19) NOT NULL,
claim_token_format VARCHAR2(1024) NOT NULL
);
CREATE TABLE claim_issuer (
owner_id NUMBER(19) NOT NULL,
issuer VARCHAR2(1024) NOT NULL
);
CREATE TABLE saved_registered_client (
id NUMBER(19) NOT NULL PRIMARY KEY,
issuer VARCHAR2(1024),
registered_client CLOB
);
CREATE SEQUENCE saved_registered_client_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
CREATE TABLE IF NOT EXISTS device_code (
id NUMBER(19) NOT NULL PRIMARY KEY,
device_code VARCHAR2(1024),
user_code VARCHAR2(1024),
expiration TIMESTAMP,
client_id VARCHAR2(256),
approved BOOLEAN,
auth_holder_id NUMBER(19)
);
CREATE TABLE IF NOT EXISTS device_code_scope (
owner_id NUMBER(19) NOT NULL,
scope VARCHAR2(256) NOT NULL
);
CREATE TABLE IF NOT EXISTS device_code_request_parameter (
owner_id NUMBER(19),
param VARCHAR2(2048),
val VARCHAR2(2048)
);

26
perun-oidc-server-webapp/src/main/resources/db/oracle/scopes_oracle.sql
View File

@ -1,26 +0,0 @@
--
-- Insert scope information into the temporary tables.
--
INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope) VALUES
('openid', 'log in using your identity', 'user', 0, 1);
INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope) VALUES
('profile', 'basic profile information', 'list-alt', 0, 1);
INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope) VALUES
('email', 'email address', 'envelope', 0, 1);
INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope) VALUES
('address', 'physical address', 'home', 0, 1);
INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope) VALUES
('phone', 'telephone number', 'bell', 0, 1, 0);
INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope) VALUES
('offline_access', 'offline access', 'time', 0, 0);
--
-- Merge the temporary scopes safely into the database. This is a two-step process to keep scopes from being created on every startup with a persistent store.
--
MERGE INTO system_scope
USING (SELECT scope, description, icon, restricted, default_scope FROM system_scope_TEMP) vals
ON (vals.scope = system_scope.scope)
WHEN NOT MATCHED THEN
INSERT (id, scope, description, icon, restricted, default_scope) VALUES(system_scope_seq.nextval, vals.scope,
vals.description, vals.icon, vals.restricted, vals.default_scope);

18
perun-oidc-server-webapp/src/main/resources/db/oracle/security-schema_oracle.sql
View File

@ -1,18 +0,0 @@
--
-- Tables for Spring Security's user details service
--
create table users(
username varchar2(50) not null primary key,
password varchar2(50) not null,
enabled number(1) not null,
constraint enabled_check check (enabled in (1, 0))
);
create table authorities (
username varchar2(50) not null,
authority varchar2(50) not null,
constraint fk_authorities_users foreign key(username) references users(username),
constraint ix_authority unique (username,authority)
);

39
perun-oidc-server-webapp/src/main/resources/db/oracle/users_oracle.sql
View File

@ -1,39 +0,0 @@
--
-- Insert user information into the temporary tables. To add users to the Oracle database, edit things here.
--
INSERT INTO users_TEMP (username, password, enabled) VALUES ('admin','password',1);
INSERT INTO users_TEMP (username, password, enabled) VALUES ('user','password',1);
INSERT INTO authorities_TEMP (username, authority) VALUES ('admin','ROLE_ADMIN');
INSERT INTO authorities_TEMP (username, authority) VALUES('admin','ROLE_USER');
INSERT INTO authorities_TEMP (username, authority) VALUES('user','ROLE_USER');
-- By default, the username column here has to match the username column in the users table, above
INSERT INTO user_info_TEMP (sub, preferred_username, name, email, email_verified) VALUES ('90342.ASDFJWFA','admin','Demo Admin','admin@example.com', 1);
INSERT INTO user_info_TEMP (sub, preferred_username, name, email, email_verified) VALUES ('01921.FLANRJQW','user','Demo User','user@example.com', 1);
--
-- Merge the temporary users safely into the database. This is a two-step process to keep users from being created on every startup with a persistent store.
--
MERGE INTO users
USING (SELECT username, password, enabled FROM users_TEMP) vals
ON (vals.username = users.username)
WHEN NOT MATCHED THEN
INSERT (username, password, enabled) VALUES(vals.username, vals.password, vals.enabled);
MERGE INTO authorities
USING (SELECT username, authority FROM authorities_TEMP) vals
ON (vals.username = authorities.username AND vals.authority = authorities.authority)
WHEN NOT MATCHED THEN
INSERT (username,authority) values (vals.username, vals.authority);
MERGE INTO user_info
USING (SELECT sub, preferred_username, name, email, email_verified FROM user_info_TEMP) vals
ON (vals.preferred_username = user_info.preferred_username)
WHEN NOT MATCHED THEN
INSERT (id, sub, preferred_username, name, email, email_verified) VALUES (user_info_seq.nextval, vals.sub, vals.preferred_username, vals.name, vals.email,
vals.email_verified);

66
perun-oidc-server-webapp/src/main/resources/db/psql/clients.sql
View File

@ -1,66 +0,0 @@
--
-- Turn off autocommit and start a transaction so that we can use the temp tables
--
--SET AUTOCOMMIT = OFF;
START TRANSACTION;
--
-- Insert client information into the temporary tables. To add clients to the HSQL database, edit things here.
--
INSERT INTO client_details_TEMP (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) VALUES
('client', 'secret', 'Test Client', false, null, 3600, 600, true);
INSERT INTO client_scope_TEMP (owner_id, scope) VALUES
('client', 'openid'),
('client', 'profile'),
('client', 'email'),
('client', 'address'),
('client', 'phone'),
('client', 'offline_access');
INSERT INTO client_redirect_uri_TEMP (owner_id, redirect_uri) VALUES
('client', 'http://localhost/'),
('client', 'http://localhost:8080/');
INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES
('client', 'authorization_code'),
('client', 'urn:ietf:params:oauth:grant_type:redelegate'),
('client', 'implicit'),
('client', 'refresh_token');
--
-- Merge the temporary clients safely into the database. This is a two-step process to keep clients from being created on every startup with a persistent store.
--
INSERT INTO client_details (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection)
SELECT client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection FROM client_details_TEMP
ON CONFLICT
DO NOTHING;
INSERT INTO client_scope (scope)
SELECT scope FROM client_scope_TEMP, client_details WHERE client_details.client_id = client_scope_TEMP.owner_id
ON CONFLICT
DO NOTHING;
INSERT INTO client_redirect_uri (redirect_uri)
SELECT redirect_uri FROM client_redirect_uri_TEMP, client_details WHERE client_details.client_id = client_redirect_uri_TEMP.owner_id
ON CONFLICT
DO NOTHING;
INSERT INTO client_grant_type (grant_type)
SELECT grant_type FROM client_grant_type_TEMP, client_details WHERE client_details.client_id = client_grant_type_TEMP.owner_id
ON CONFLICT
DO NOTHING;
--
-- Close the transaction and turn autocommit back on
--
COMMIT;
--SET AUTOCOMMIT = ON;

429
perun-oidc-server-webapp/src/main/resources/db/psql/psql_database_tables.sql
View File

@ -3,381 +3,382 @@
--
CREATE TABLE IF NOT EXISTS access_token (
id BIGSERIAL PRIMARY KEY,
token_value VARCHAR(4096),
expiration TIMESTAMP,
token_type VARCHAR(256),
refresh_token_id BIGINT,
client_id BIGINT,
auth_holder_id BIGINT,
approved_site_id BIGINT,
UNIQUE(token_value)
id BIGSERIAL PRIMARY KEY,
token_value VARCHAR(4096),
expiration TIMESTAMP,
token_type VARCHAR(256),
refresh_token_id BIGINT,
client_id BIGINT,
auth_holder_id BIGINT,
approved_site_id BIGINT,
UNIQUE(token_value)
);
CREATE TABLE IF NOT EXISTS access_token_permissions (
access_token_id BIGINT NOT NULL,
permission_id BIGINT NOT NULL
access_token_id BIGINT NOT NULL,
permission_id BIGINT NOT NULL
);
CREATE TABLE IF NOT EXISTS address (
id BIGSERIAL PRIMARY KEY,
formatted VARCHAR(256),
street_address VARCHAR(256),
locality VARCHAR(256),
region VARCHAR(256),
postal_code VARCHAR(256),
country VARCHAR(256)
id BIGSERIAL PRIMARY KEY,
formatted VARCHAR(256),
street_address VARCHAR(256),
locality VARCHAR(256),
region VARCHAR(256),
postal_code VARCHAR(256),
country VARCHAR(256)
);
CREATE TABLE IF NOT EXISTS approved_site (
id BIGSERIAL PRIMARY KEY,
user_id VARCHAR(256),
client_id VARCHAR(256),
creation_date TIMESTAMP,
access_date TIMESTAMP,
timeout_date TIMESTAMP,
whitelisted_site_id BIGINT
id BIGSERIAL PRIMARY KEY,
user_id VARCHAR(256),
client_id VARCHAR(256),
creation_date TIMESTAMP,
access_date TIMESTAMP,
timeout_date TIMESTAMP,
whitelisted_site_id BIGINT
);
CREATE TABLE IF NOT EXISTS approved_site_scope (
owner_id BIGINT,
scope VARCHAR(256)
owner_id BIGINT,
scope VARCHAR(256)
);
CREATE TABLE IF NOT EXISTS authentication_holder (
id BIGSERIAL PRIMARY KEY,
user_auth_id BIGINT,
approved BOOLEAN,
redirect_uri VARCHAR(2048),
client_id VARCHAR(256)
id BIGSERIAL PRIMARY KEY,
user_auth_id BIGINT,
approved BOOLEAN,
redirect_uri VARCHAR(2048),
client_id VARCHAR(256)
);
CREATE TABLE IF NOT EXISTS authentication_holder_authority (
owner_id BIGINT,
authority VARCHAR(256)
owner_id BIGINT,
authority VARCHAR(256)
);
CREATE TABLE IF NOT EXISTS authentication_holder_resource_id (
owner_id BIGINT,
resource_id VARCHAR(2048)
owner_id BIGINT,
resource_id VARCHAR(2048)
);
CREATE TABLE IF NOT EXISTS authentication_holder_response_type (
owner_id BIGINT,
response_type VARCHAR(2048)
owner_id BIGINT,
response_type VARCHAR(2048)
);
CREATE TABLE IF NOT EXISTS authentication_holder_extension (
owner_id BIGINT,
extension VARCHAR(2048),
val VARCHAR(2048)
owner_id BIGINT,
extension VARCHAR(2048),
val VARCHAR(2048)
);
CREATE TABLE IF NOT EXISTS authentication_holder_scope (
owner_id BIGINT,
scope VARCHAR(2048)
owner_id BIGINT,
scope VARCHAR(2048)
);
CREATE TABLE IF NOT EXISTS authentication_holder_request_parameter (
owner_id BIGINT,
param VARCHAR(2048),
val VARCHAR(2048)
owner_id BIGINT,
param VARCHAR(2048),
val TEXT
);
CREATE TABLE IF NOT EXISTS saved_user_auth (
id BIGSERIAL PRIMARY KEY,
name VARCHAR(1024),
authenticated BOOLEAN,
source_class VARCHAR(2048)
id BIGSERIAL PRIMARY KEY,
name VARCHAR(1024),
authenticated BOOLEAN,
source_class VARCHAR(2048)
);
CREATE TABLE IF NOT EXISTS saved_user_auth_authority (
owner_id BIGINT,
authority VARCHAR(256)
owner_id BIGINT,
authority VARCHAR(256)
);
CREATE TABLE IF NOT EXISTS client_authority (
owner_id BIGINT,
authority VARCHAR(256)
owner_id BIGINT,
authority VARCHAR(256)
);
CREATE TABLE IF NOT EXISTS authorization_code (
id BIGSERIAL PRIMARY KEY,
code VARCHAR(256),
auth_holder_id BIGINT,
expiration TIMESTAMP
id BIGSERIAL PRIMARY KEY,
code VARCHAR(256),
auth_holder_id BIGINT,
expiration TIMESTAMP
);
CREATE TABLE IF NOT EXISTS client_grant_type (
owner_id BIGINT,
grant_type VARCHAR(2000)
owner_id BIGINT,
grant_type VARCHAR(2000)
);
CREATE TABLE IF NOT EXISTS client_response_type (
owner_id BIGINT,
response_type VARCHAR(2000)
owner_id BIGINT,
response_type VARCHAR(2000)
);
CREATE TABLE IF NOT EXISTS blacklisted_site (
id BIGSERIAL PRIMARY KEY,
uri VARCHAR(2048)
id BIGSERIAL PRIMARY KEY,
uri VARCHAR(2048)
);
CREATE TABLE IF NOT EXISTS client_details (
id BIGSERIAL PRIMARY KEY,
id BIGSERIAL PRIMARY KEY,
client_description VARCHAR(1024),
reuse_refresh_tokens BOOLEAN DEFAULT true NOT NULL,
dynamically_registered BOOLEAN DEFAULT false NOT NULL,
allow_introspection BOOLEAN DEFAULT false NOT NULL,
id_token_validity_seconds BIGINT DEFAULT 600 NOT NULL,
device_code_validity_seconds BIGINT,
client_description VARCHAR(1024),
reuse_refresh_tokens BOOLEAN DEFAULT true NOT NULL,
dynamically_registered BOOLEAN DEFAULT false NOT NULL,
allow_introspection BOOLEAN DEFAULT false NOT NULL,
id_token_validity_seconds BIGINT DEFAULT 600 NOT NULL,
device_code_validity_seconds BIGINT,
client_id VARCHAR(256),
client_secret VARCHAR(2048),
access_token_validity_seconds BIGINT,
refresh_token_validity_seconds BIGINT,
client_id VARCHAR(256),
client_secret VARCHAR(2048),
access_token_validity_seconds BIGINT,
refresh_token_validity_seconds BIGINT,
application_type VARCHAR(256),
client_name VARCHAR(256),
token_endpoint_auth_method VARCHAR(256),
subject_type VARCHAR(256),
application_type VARCHAR(256),
client_name VARCHAR(256),
token_endpoint_auth_method VARCHAR(256),
subject_type VARCHAR(256),
policy_uri VARCHAR(2048),
client_uri VARCHAR(2048),
tos_uri VARCHAR(2048),
policy_uri VARCHAR(2048),
client_uri VARCHAR(2048),
tos_uri VARCHAR(2048),
jwks_uri VARCHAR(2048),
jwks VARCHAR(8192),
sector_identifier_uri VARCHAR(2048),
jwks_uri VARCHAR(2048),
jwks VARCHAR(8192),
sector_identifier_uri VARCHAR(2048),
request_object_signing_alg VARCHAR(256),
request_object_signing_alg VARCHAR(256),
user_info_signed_response_alg VARCHAR(256),
user_info_encrypted_response_alg VARCHAR(256),
user_info_encrypted_response_enc VARCHAR(256),
user_info_signed_response_alg VARCHAR(256),
user_info_encrypted_response_alg VARCHAR(256),
user_info_encrypted_response_enc VARCHAR(256),
id_token_signed_response_alg VARCHAR(256),
id_token_encrypted_response_alg VARCHAR(256),
id_token_encrypted_response_enc VARCHAR(256),
id_token_signed_response_alg VARCHAR(256),
id_token_encrypted_response_alg VARCHAR(256),
id_token_encrypted_response_enc VARCHAR(256),
token_endpoint_auth_signing_alg VARCHAR(256),
token_endpoint_auth_signing_alg VARCHAR(256),
default_max_age BIGINT,
require_auth_time BOOLEAN,
created_at TIMESTAMP,
initiate_login_uri VARCHAR(2048),
clear_access_tokens_on_refresh BOOLEAN DEFAULT true NOT NULL,
default_max_age BIGINT,
require_auth_time BOOLEAN,
created_at TIMESTAMP,
initiate_login_uri VARCHAR(2048),
clear_access_tokens_on_refresh BOOLEAN DEFAULT true NOT NULL,
software_statement VARCHAR(4096),
software_id VARCHAR(2048),
software_version VARCHAR(2048),
software_statement VARCHAR(4096),
software_id VARCHAR(2048),
software_version VARCHAR(2048),
code_challenge_method VARCHAR(256),
code_challenge_method VARCHAR(256),
UNIQUE (client_id)
UNIQUE (client_id)
);
CREATE TABLE IF NOT EXISTS client_request_uri (
owner_id BIGINT,
request_uri VARCHAR(2000)
owner_id BIGINT,
request_uri VARCHAR(2000)
);
CREATE TABLE IF NOT EXISTS client_post_logout_redirect_uri (
owner_id BIGINT,
post_logout_redirect_uri VARCHAR(2000)
owner_id BIGINT,
post_logout_redirect_uri VARCHAR(2000)
);
CREATE TABLE IF NOT EXISTS client_default_acr_value (
owner_id BIGINT,
default_acr_value VARCHAR(2000)
owner_id BIGINT,
default_acr_value VARCHAR(2000)
);
CREATE TABLE IF NOT EXISTS client_contact (
owner_id BIGINT,
contact VARCHAR(256)
owner_id BIGINT,
contact VARCHAR(256)
);
CREATE TABLE IF NOT EXISTS client_redirect_uri (
owner_id BIGINT,
redirect_uri VARCHAR(2048)
owner_id BIGINT,
redirect_uri VARCHAR(2048)
);
CREATE TABLE IF NOT EXISTS client_claims_redirect_uri (
owner_id BIGINT,
redirect_uri VARCHAR(2048)
owner_id BIGINT,
redirect_uri VARCHAR(2048)
);
CREATE TABLE IF NOT EXISTS refresh_token (
id BIGSERIAL PRIMARY KEY,
token_value VARCHAR(4096),
expiration TIMESTAMP,
auth_holder_id BIGINT,
client_id BIGINT
id BIGSERIAL PRIMARY KEY,
token_value VARCHAR(4096),
expiration TIMESTAMP,
auth_holder_id BIGINT,
client_id BIGINT
);
CREATE TABLE IF NOT EXISTS client_resource (
owner_id BIGINT,
resource_id VARCHAR(256)
owner_id BIGINT,
resource_id VARCHAR(256)
);
CREATE TABLE IF NOT EXISTS client_scope (
owner_id BIGINT,
scope VARCHAR(2048)
owner_id BIGINT,
scope VARCHAR(2048)
);
CREATE TABLE IF NOT EXISTS token_scope (
owner_id BIGINT,
scope VARCHAR(2048)
owner_id BIGINT,
scope VARCHAR(2048)
);
CREATE TABLE IF NOT EXISTS system_scope (
id BIGSERIAL PRIMARY KEY,
scope VARCHAR(256) NOT NULL,
description VARCHAR(4096),
icon VARCHAR(256),
restricted BOOLEAN DEFAULT false NOT NULL,
default_scope BOOLEAN DEFAULT false NOT NULL,
UNIQUE (scope)
id BIGSERIAL PRIMARY KEY,
scope VARCHAR(256) NOT NULL,
description VARCHAR(4096),
icon VARCHAR(256),
restricted BOOLEAN DEFAULT false NOT NULL,
default_scope BOOLEAN DEFAULT false NOT NULL,
UNIQUE (scope)
);
CREATE TABLE IF NOT EXISTS user_info (
id BIGSERIAL PRIMARY KEY,
sub VARCHAR(256),
preferred_username VARCHAR(256),
name VARCHAR(256),
given_name VARCHAR(256),
family_name VARCHAR(256),
middle_name VARCHAR(256),
nickname VARCHAR(256),
profile VARCHAR(256),
picture VARCHAR(256),
website VARCHAR(256),
email VARCHAR(256),
email_verified BOOLEAN,
gender VARCHAR(256),
zone_info VARCHAR(256),
locale VARCHAR(256),
phone_number VARCHAR(256),
phone_number_verified BOOLEAN,
address_id VARCHAR(256),
updated_time VARCHAR(256),
birthdate VARCHAR(256),
src VARCHAR(4096)
id BIGSERIAL PRIMARY KEY,
sub VARCHAR(256),
preferred_username VARCHAR(256),
name VARCHAR(256),
given_name VARCHAR(256),
family_name VARCHAR(256),
middle_name VARCHAR(256),
nickname VARCHAR(256),
profile VARCHAR(256),
picture VARCHAR(256),
website VARCHAR(256),
email VARCHAR(256),
email_verified BOOLEAN,
gender VARCHAR(256),
zone_info VARCHAR(256),
locale VARCHAR(256),
phone_number VARCHAR(256),
phone_number_verified BOOLEAN,
address_id VARCHAR(256),
updated_time VARCHAR(256),
birthdate VARCHAR(256),
src VARCHAR(4096)
);
CREATE TABLE IF NOT EXISTS whitelisted_site (
id BIGSERIAL PRIMARY KEY,
creator_user_id VARCHAR(256),
client_id VARCHAR(256)
id BIGSERIAL PRIMARY KEY,
creator_user_id VARCHAR(256),
client_id VARCHAR(256)
);
CREATE TABLE IF NOT EXISTS whitelisted_site_scope (
owner_id BIGINT,
scope VARCHAR(256)
owner_id BIGINT,
scope VARCHAR(256)
);
CREATE TABLE IF NOT EXISTS pairwise_identifier (
id BIGSERIAL PRIMARY KEY,
identifier VARCHAR(256),
sub VARCHAR(256),
sector_identifier VARCHAR(2048)
id BIGSERIAL PRIMARY KEY,
identifier VARCHAR(256),
sub VARCHAR(256),
sector_identifier VARCHAR(2048)
);
CREATE TABLE IF NOT EXISTS resource_set (
id BIGSERIAL PRIMARY KEY,
name VARCHAR(1024) NOT NULL,
uri VARCHAR(1024),
icon_uri VARCHAR(1024),
rs_type VARCHAR(256),
owner VARCHAR(256) NOT NULL,
client_id VARCHAR(256)
id BIGSERIAL PRIMARY KEY,
name VARCHAR(1024) NOT NULL,
uri VARCHAR(1024),
icon_uri VARCHAR(1024),
rs_type VARCHAR(256),
owner VARCHAR(256) NOT NULL,
client_id VARCHAR(256)
);
CREATE TABLE IF NOT EXISTS resource_set_scope (
owner_id BIGINT NOT NULL,
scope VARCHAR(256) NOT NULL
owner_id BIGINT NOT NULL,
scope VARCHAR(256) NOT NULL
);
CREATE TABLE IF NOT EXISTS permission_ticket (
id BIGSERIAL PRIMARY KEY,
ticket VARCHAR(256) NOT NULL,
permission_id BIGINT NOT NULL,
expiration TIMESTAMP
id BIGSERIAL PRIMARY KEY,
ticket VARCHAR(256) NOT NULL,
permission_id BIGINT NOT NULL,
expiration TIMESTAMP
);
CREATE TABLE IF NOT EXISTS permission (
id BIGSERIAL PRIMARY KEY,
resource_set_id BIGINT
id BIGSERIAL PRIMARY KEY,
resource_set_id BIGINT
);
CREATE TABLE IF NOT EXISTS permission_scope (
owner_id BIGINT NOT NULL,
scope VARCHAR(256) NOT NULL
owner_id BIGINT NOT NULL,
scope VARCHAR(256) NOT NULL
);
CREATE TABLE IF NOT EXISTS claim (
id BIGSERIAL PRIMARY KEY,
name VARCHAR(256),
friendly_name VARCHAR(1024),
claim_type VARCHAR(1024),
claim_value VARCHAR(1024)
id BIGSERIAL PRIMARY KEY,
name VARCHAR(256),
friendly_name VARCHAR(1024),
claim_type VARCHAR(1024),
claim_value VARCHAR(1024)
);
CREATE TABLE IF NOT EXISTS claim_to_policy (
policy_id BIGINT NOT NULL,
claim_id BIGINT NOT NULL
policy_id BIGINT NOT NULL,
claim_id BIGINT NOT NULL
);
CREATE TABLE IF NOT EXISTS claim_to_permission_ticket (
permission_ticket_id BIGINT NOT NULL,
claim_id BIGINT NOT NULL
permission_ticket_id BIGINT NOT NULL,
claim_id BIGINT NOT NULL
);
CREATE TABLE IF NOT EXISTS policy (
id BIGSERIAL PRIMARY KEY,
name VARCHAR(1024),
resource_set_id BIGINT
id BIGSERIAL PRIMARY KEY,
name VARCHAR(1024),
resource_set_id BIGINT
);
CREATE TABLE IF NOT EXISTS policy_scope (
owner_id BIGINT NOT NULL,
scope VARCHAR(256) NOT NULL
owner_id BIGINT NOT NULL,
scope VARCHAR(256) NOT NULL
);
CREATE TABLE IF NOT EXISTS claim_token_format (
owner_id BIGINT NOT NULL,
claim_token_format VARCHAR(1024)
owner_id BIGINT NOT NULL,
claim_token_format VARCHAR(1024)
);
CREATE TABLE IF NOT EXISTS claim_issuer (
owner_id BIGINT NOT NULL,
issuer VARCHAR(1024)
owner_id BIGINT NOT NULL,
issuer VARCHAR(1024)
);
CREATE TABLE IF NOT EXISTS saved_registered_client (
id BIGSERIAL PRIMARY KEY,
issuer VARCHAR(1024),
registered_client VARCHAR(8192)
id BIGSERIAL PRIMARY KEY,
issuer VARCHAR(1024),
registered_client VARCHAR(8192)
);
CREATE TABLE IF NOT EXISTS device_code (
id BIGSERIAL PRIMARY KEY,
device_code VARCHAR(1024),
user_code VARCHAR(1024),
expiration TIMESTAMP NULL,
client_id VARCHAR(256),
approved BOOLEAN,
auth_holder_id BIGINT
id BIGSERIAL PRIMARY KEY,
device_code VARCHAR(1024),
user_code VARCHAR(1024),
expiration TIMESTAMP NULL,
client_id VARCHAR(256),
approved BOOLEAN,
auth_holder_id BIGINT
);
CREATE TABLE IF NOT EXISTS device_code_scope (
owner_id BIGINT NOT NULL,
scope VARCHAR(256) NOT NULL
owner_id BIGINT NOT NULL,
scope VARCHAR(256) NOT NULL
);
CREATE TABLE IF NOT EXISTS device_code_request_parameter (
owner_id BIGINT,
param VARCHAR(2048),
val VARCHAR(2048)
owner_id BIGINT,
param VARCHAR(2048),
val VARCHAR(2048)
);

38
perun-oidc-server-webapp/src/main/resources/db/psql/scopes.sql
View File

@ -1,33 +1,33 @@
--
-- Turn off autocommit and start a transaction so that we can use the temp tables
--
--SET AUTOCOMMIT = OFF;
START TRANSACTION;
CREATE TEMPORARY TABLE IF NOT EXISTS system_scope_TEMP (
scope VARCHAR(256),
description VARCHAR(4096),
icon VARCHAR(256),
restricted BOOLEAN,
default_scope BOOLEAN
);
--
-- Insert scope information into the temporary tables.
--
INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope) VALUES
('openid', 'log in using your identity', 'user', false, true),
('profile', 'basic profile information', 'list-alt', false, true),
('email', 'email address', 'envelope', false, true),
('address', 'physical address', 'home', false, true),
('phone', 'telephone number', 'bell', false, true),
('offline_access', 'offline access', 'time', false, false);
('openid', 'log in using your identity', 'user', false, true),
('profile', 'basic profile information', 'list-alt', false, true),
('email', 'email address', 'envelope', false, true),
('address', 'physical address', 'home', false, true),
('phone', 'telephone number', 'bell', false, true),
('offline_access', 'offline access', 'time', false, false),
('perun_api', 'calls to Perun API in your roles', 'cog', true, false)
;
--
-- Merge the temporary scopes safely into the database. This is a two-step process to keep scopes from being created on every startup with a persistent store.
--
INSERT INTO system_scope (scope, description, icon, restricted, default_scope)
SELECT scope, description, icon, restricted, default_scope FROM system_scope_TEMP
ON CONFLICT(scope)
DO NOTHING;
SELECT scope, description, icon, restricted, default_scope FROM system_scope_TEMP
ON CONFLICT(scope) DO NOTHING;
COMMIT;
--SET AUTOCOMMIT = ON;

14
perun-oidc-server-webapp/src/main/resources/db/psql/security-schema.sql
View File

@ -1,14 +0,0 @@
--
-- Tables for Spring Security's user details service
--
create table IF NOT EXISTS users(
username varchar(50) not null primary key,
password varchar(50) not null,
enabled boolean not null);
create table IF NOT EXISTS authorities (
username varchar(50) not null,
authority varchar(50) not null,
constraint fk_authorities_users foreign key(username) references users(username),
constraint ix_authority unique (username,authority));

6
perun-oidc-server-webapp/src/main/resources/db/psql/shedlock.sql Normal file
View File

@ -0,0 +1,6 @@
CREATE TABLE shedlock (
name VARCHAR(64) PRIMARY KEY,
lock_until TIMESTAMP(3) NULL,
locked_at TIMESTAMP(3) NULL,
locked_by VARCHAR(255)
);

55
perun-oidc-server-webapp/src/main/resources/db/psql/users.sql
View File

@ -1,55 +0,0 @@
--
-- Turn off autocommit and start a transaction so that we can use the temp tables
--
--SET AUTOCOMMIT FALSE;
START TRANSACTION;
--
-- Insert user information into the temporary tables. To add users to the HSQL database, edit things here.
--
INSERT INTO users_TEMP (username, password, enabled) VALUES
('admin','password',true),
('user','password',true);
INSERT INTO authorities_TEMP (username, authority) VALUES
('admin','ROLE_ADMIN'),
('admin','ROLE_USER'),
('user','ROLE_USER');
-- By default, the username column here has to match the username column in the users table, above
INSERT INTO user_info_TEMP (sub, preferred_username, name, email, email_verified) VALUES
('90342.ASDFJWFA','admin','Demo Admin','admin@example.com', true),
('01921.FLANRJQW','user','Demo User','user@example.com', true);
--
-- Merge the temporary users safely into the database. This is a two-step process to keep users from being created on every startup with a persistent store.
--
INSERT INTO users
SELECT username, password, enabled FROM users_TEMP
ON CONFLICT(username)
DO NOTHING;
INSERT INTO authorities
SELECT username, authority FROM authorities_TEMP
ON CONFLICT(username, authority)
DO NOTHING;
INSERT INTO user_info (sub, preferred_username, name, email, email_verified)
SELECT sub, preferred_username, name, email, email_verified FROM user_info_TEMP
ON CONFLICT
DO NOTHING;
--
-- Close the transaction and turn autocommit back on
--
COMMIT;
--SET AUTOCOMMIT TRUE;

87
perun-oidc-server-webapp/src/main/resources/log4j.xml
View File

@ -1,87 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2018 The MIT Internet Trust Consortium
Portions copyright 2011-2013 The MITRE Corporation
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!DOCTYPE log4j:configuration PUBLIC "-//APACHE//DTD LOG4J 1.2//EN" "log4j.dtd">
<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/">
<!-- Appenders -->
<appender name="FILE" class="org.apache.log4j.FileAppender">
<param name="file" value="/var/log/oidc/elixir/log.out"/>
<param name="immediateFlush" value="true"/>
<param name="threshold" value="debug"/>
<param name="append" value="true"/>
<layout class="org.apache.log4j.PatternLayout">
<param name="conversionPattern" value="%m%n"/>
</layout>
</appender>
<!-- Application Loggers -->
<logger name="cz.muni.ics.openid">
<level value="info" />
</logger>
<logger name="cz.muni.ics.oauth2">
<level value="info" />
</logger>
<logger name="cz.muni.ics.discovery">
<level value="info" />
</logger>
<logger name="cz.muni.ics.jose">
<level value="info" />
</logger>
<logger name="cz.muni.ics.jwt">
<level value="info" />
</logger>
<logger name="cz.muni.ics.util">
<level value="info" />
</logger>
<logger name="cz.muni.ics.uma">
<level value="info" />
</logger>
<logger name="cz.muni.ics.data">
<level value="info" />
</logger>
<!-- 3rdparty Loggers -->
<logger name="org.springframework.core">
<level value="info" />
</logger>
<logger name="org.springframework.beans">
<level value="info" />
</logger>
<logger name="org.springframework.context">
<level value="info" />
</logger>
<logger name="org.springframework.web">
<level value="info" />
</logger>
<logger name="org.springframework.security">
<level value="warn" />
</logger>
<!-- Root Logger -->
<root>
<priority value="warn" />
<appender-ref ref="file" />
</root>
</log4j:configuration>

25
perun-oidc-server-webapp/src/main/resources/logback.xml
View File

@ -36,23 +36,26 @@
<appender-ref ref="${log.to}"/>
</root>
<!-- keep Spring quiet -->
<!-- SPRING -->
<logger name="org.springframework" level="warn"/>
<logger name="org.springframework.security.saml" level="warn"/>
<logger name="org.springframework.security.core.SpringSecurityCoreVersion" level="info"/>
<logger name="cz.muni.ics.openid.connect.config.JsonMessageSource" level="warn"/>
<logger name="org.apache" level="warn"/>
<logger name="org.apache.directory" level="warn"/>
<logger name="org.apache.directory.ldap.client.api.LdapNetworkConnection" level="error"/>
<logger name="com.zaxxer.hikari" level="warn"/>
<logger name="cz.muni.ics" level="info"/>
<logger name="org.opensaml" level="info"/>
<logger name="org.springframework.security.saml" level="debug"/>
<!-- SAML -->
<logger name="org.opensaml" level="warn"/>
<logger name="PROTOCOL_MESSAGE" level="warn"/>
<!-- LDAP -->
<logger name="org.apache" level="warn"/>
<logger name="org.apache.directory.ldap.client.api.LdapNetworkConnection" level="error"/>
<!-- DB -->
<logger name="com.zaxxer.hikari" level="warn"/>
<logger name="net.javacrumbs.shedlock" level="error"/>
<!-- OUR LOGGERS -->
<!-- PASSED FROM POM.XML / MAVEN BUILD PROPS -->
<logger name="cz.muni.ics.oidc" level="${log.level}"/>
<logger name="cz.muni.ics" level="${log.level}"/>
<logger name="cz.muni.ics.oidc.aop.WebLoggingAspect" level="debug"/>
<logger name="cz.muni.ics.oidc.aop.ExecutionTimeLoggingAspect" level="trace"/>
<logger name="cz.muni.ics.openid.connect.web.EndSessionEndpoint" level="${log.level}"/>
<logger name="net.javacrumbs.shedlock" level="error"/>
<logger name="cz.muni.ics.openid.connect.config.JsonMessageSource" level="warn"/>
</configuration>

8
perun-oidc-server/pom.xml
View File

@ -131,6 +131,10 @@
<groupId>org.mariadb.jdbc</groupId>
<artifactId>mariadb-java-client</artifactId>
</dependency>
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
</dependency>
<dependency>
<groupId>org.apache.directory.api</groupId>
<artifactId>api-all</artifactId>
@ -185,6 +189,10 @@
<groupId>org.springframework.security.extensions</groupId>
<artifactId>spring-security-saml2-core</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</dependency>
</dependencies>
<build>

17
perun-oidc-server/src/main/java/cz/muni/ics/data/AbstractPageOperationTemplate.java
View File

@ -18,9 +18,7 @@ package cz.muni.ics.data;
import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import lombok.extern.slf4j.Slf4j;
/**
* Abstract class for performing an operation on a potentially large
@ -29,10 +27,9 @@ import org.slf4j.LoggerFactory;
* @param <T> the type parameter
* @author Colm Smyth.
*/
@Slf4j
public abstract class AbstractPageOperationTemplate<T> {
private static final Logger logger = LoggerFactory.getLogger(AbstractPageOperationTemplate.class);
private static final int DEFAULT_MAX_PAGES = 1000;
private static final long DEFAULT_MAX_TIME_MILLIS = 600000L; //10 Minutes
@ -91,7 +88,7 @@ public abstract class AbstractPageOperationTemplate<T> {
* swallowException (default true) field is set true.
*/
public void execute(){
logger.debug("[{}] Starting execution of paged operation. max time: {}, max pages: {}", getOperationName(), maxTime, maxPages);
log.debug("[{}] Starting execution of paged operation. max time: {}, max pages: {}", getOperationName(), maxTime, maxPages);
long startTime = System.currentTimeMillis();
long executionTime = 0;
@ -115,9 +112,9 @@ public abstract class AbstractPageOperationTemplate<T> {
if(swallowExceptions){
exceptionsSwallowedCount++;
exceptionsSwallowedClasses.add(e.getClass().getName());
logger.debug("Swallowing exception " + e.getMessage(), e);
log.debug("Swallowing exception " + e.getMessage(), e);
} else {
logger.debug("Rethrowing exception " + e.getMessage());
log.debug("Rethrowing exception " + e.getMessage());
throw e;
}
}
@ -149,11 +146,11 @@ public abstract class AbstractPageOperationTemplate<T> {
*/
protected void finalReport(int operationsCompleted, int exceptionsSwallowedCount, Set<String> exceptionsSwallowedClasses) {
if (operationsCompleted > 0 || exceptionsSwallowedCount > 0) {
logger.info("[{}] Paged operation run: completed {}; swallowed {} exceptions",
log.info("[{}] Paged operation run: completed {}; swallowed {} exceptions",
getOperationName(), operationsCompleted, exceptionsSwallowedCount);
}
for(String className: exceptionsSwallowedClasses) {
logger.warn("[{}] Paged operation swallowed at least one exception of type {}", getOperationName(), className);
log.warn("[{}] Paged operation swallowed at least one exception of type {}", getOperationName(), className);
}
}
}

14
perun-oidc-server/src/main/java/cz/muni/ics/discovery/util/WebfingerURLNormalizer.java
View File

@ -17,26 +17,22 @@
*******************************************************************************/
package cz.muni.ics.discovery.util;
import com.google.common.base.Strings;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import lombok.extern.slf4j.Slf4j;
import org.springframework.util.StringUtils;
import org.springframework.web.util.UriComponents;
import org.springframework.web.util.UriComponentsBuilder;
import com.google.common.base.Strings;
/**
* Provides utility methods for normalizing and parsing URIs for use with Webfinger Discovery.
*
* @author wkim
*/
@Slf4j
public class WebfingerURLNormalizer {
private static final Logger logger = LoggerFactory.getLogger(WebfingerURLNormalizer.class);
// pattern used to parse user input; we can't use the built-in java URI parser
private static final Pattern pattern = Pattern.compile("^" +
"((https|acct|http|mailto|tel|device):(//)?)?" + // scheme
@ -63,7 +59,7 @@ public class WebfingerURLNormalizer {
// NOTE: we can't use the Java built-in URI class because it doesn't split the parts appropriately
if (StringUtils.isEmpty(identifier)) {
logger.warn("Can't normalize null or empty URI: " + identifier);
log.warn("Can't normalize null or empty URI: " + identifier);
return null;
} else {
UriComponentsBuilder builder = UriComponentsBuilder.newInstance();
@ -81,7 +77,7 @@ public class WebfingerURLNormalizer {
builder.query(m.group(13));
builder.fragment(m.group(15)); // we throw away the hash, but this is the group it would be if we kept it
} else {
logger.warn("Parser couldn't match input: {}", identifier);
log.warn("Parser couldn't match input: {}", identifier);
return null;
}

30
perun-oidc-server/src/main/java/cz/muni/ics/discovery/view/WebfingerView.java
View File

@ -20,35 +20,31 @@
*/
package cz.muni.ics.discovery.view;
import cz.muni.ics.openid.connect.view.HttpCodeView;
import java.io.IOException;
import java.io.Writer;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Component;
import org.springframework.validation.BeanPropertyBindingResult;
import org.springframework.web.servlet.view.AbstractView;
import com.google.gson.ExclusionStrategy;
import com.google.gson.FieldAttributes;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import com.google.gson.JsonArray;
import com.google.gson.JsonObject;
import cz.muni.ics.openid.connect.view.HttpCodeView;
import java.io.IOException;
import java.io.Writer;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j;
import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Component;
import org.springframework.validation.BeanPropertyBindingResult;
import org.springframework.web.servlet.view.AbstractView;
/**
* @author jricher
*
*/
@Component("webfingerView")
@Slf4j
public class WebfingerView extends AbstractView {
private static final Logger logger = LoggerFactory.getLogger(WebfingerView.class);
private final Gson gson = new GsonBuilder()
.setExclusionStrategies(new ExclusionStrategy() {
@ -95,7 +91,7 @@ public class WebfingerView extends AbstractView {
Writer out = response.getWriter();
gson.toJson(obj, out);
} catch (IOException e) {
logger.error("IOException in WebfingerView.java: ", e);
log.error("IOException in WebfingerView.java: ", e);
}
}

46
perun-oidc-server/src/main/java/cz/muni/ics/discovery/web/DiscoveryEndpoint.java
View File

@ -17,9 +17,23 @@
*******************************************************************************/
package cz.muni.ics.discovery.web;
import com.google.common.base.Function;
import com.google.common.base.Strings;
import com.google.common.collect.Collections2;
import com.google.common.collect.Lists;
import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JWSAlgorithm;
import cz.muni.ics.discovery.util.WebfingerURLNormalizer;
import cz.muni.ics.jwt.encryption.service.JWTEncryptionAndDecryptionService;
import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService;
import cz.muni.ics.oauth2.model.PKCEAlgorithm;
import cz.muni.ics.oauth2.service.SystemScopeService;
import cz.muni.ics.oauth2.web.DeviceEndpoint;
import cz.muni.ics.oauth2.web.IntrospectionEndpoint;
import cz.muni.ics.oauth2.web.RevocationEndpoint;
import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean;
import cz.muni.ics.openid.connect.model.UserInfo;
import cz.muni.ics.openid.connect.service.UserInfoService;
import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonEntityView;
import cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint;
@ -30,17 +44,7 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import cz.muni.ics.oauth2.model.PKCEAlgorithm;
import cz.muni.ics.oauth2.service.SystemScopeService;
import cz.muni.ics.oauth2.web.DeviceEndpoint;
import cz.muni.ics.oauth2.web.IntrospectionEndpoint;
import cz.muni.ics.oauth2.web.RevocationEndpoint;
import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean;
import cz.muni.ics.openid.connect.model.UserInfo;
import cz.muni.ics.openid.connect.service.UserInfoService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
@ -51,13 +55,6 @@ import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.util.UriComponents;
import org.springframework.web.util.UriComponentsBuilder;
import com.google.common.base.Function;
import com.google.common.base.Strings;
import com.google.common.collect.Collections2;
import com.google.common.collect.Lists;
import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JWSAlgorithm;
/**
*
* Handle OpenID Connect Discovery.
@ -66,10 +63,9 @@ import com.nimbusds.jose.JWSAlgorithm;
*
*/
@Controller
@Slf4j
public class DiscoveryEndpoint {
private static final Logger logger = LoggerFactory.getLogger(DiscoveryEndpoint.class);
public static final String WELL_KNOWN_URL = ".well-known";
public static final String OPENID_CONFIGURATION_URL = WELL_KNOWN_URL + "/openid-configuration";
public static final String WEBFINGER_URL = WELL_KNOWN_URL + "/webfinger";
@ -100,7 +96,7 @@ public class DiscoveryEndpoint {
@RequestParam(value = "rel", required = false) String rel,
Model model) {
if (!Strings.isNullOrEmpty(rel) && !rel.equals(ISSUER_STRING)) {
logger.warn("Responding to webfinger request for non-OIDC relation: {}", rel);
log.warn("Responding to webfinger request for non-OIDC relation: {}", rel);
}
if (!resource.equals(config.getIssuer())) {
@ -111,7 +107,7 @@ public class DiscoveryEndpoint {
&& resourceUri.getScheme().equals("acct")) {
UserInfo user = extractUser(resourceUri);
if (user == null) {
logger.info("User not found: {}", resource);
log.info("User not found: {}", resource);
model.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND);
return HttpCodeView.VIEWNAME;
}
@ -119,12 +115,12 @@ public class DiscoveryEndpoint {
UriComponents issuerComponents = UriComponentsBuilder.fromHttpUrl(config.getIssuer()).build();
if (!Strings.nullToEmpty(issuerComponents.getHost())
.equals(Strings.nullToEmpty(resourceUri.getHost()))) {
logger.info("Host mismatch, expected " + issuerComponents.getHost() + " got " + resourceUri.getHost());
log.info("Host mismatch, expected " + issuerComponents.getHost() + " got " + resourceUri.getHost());
model.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND);
return HttpCodeView.VIEWNAME;
}
} else {
logger.info("Unknown URI format: " + resource);
log.info("Unknown URI format: " + resource);
model.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND);
return HttpCodeView.VIEWNAME;
}
@ -269,7 +265,7 @@ public class DiscoveryEndpoint {
String baseUrl = config.getIssuer();
if (!baseUrl.endsWith("/")) {
logger.debug("Configured issuer doesn't end in /, adding for discovery: {}", baseUrl);
log.debug("Configured issuer doesn't end in /, adding for discovery: {}", baseUrl);
baseUrl = baseUrl.concat("/");
}

3
perun-oidc-server/src/main/java/cz/muni/ics/jose/keystore/JWKSetKeyStore.java
View File

@ -19,8 +19,6 @@ package cz.muni.ics.jose.keystore;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet;
import org.springframework.core.io.Resource;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
@ -28,6 +26,7 @@ import java.nio.charset.StandardCharsets;
import java.text.ParseException;
import java.util.List;
import java.util.stream.Collectors;
import org.springframework.core.io.Resource;
/**
* @author jricher

9
perun-oidc-server/src/main/java/cz/muni/ics/jwt/assertion/AbstractAssertionValidator.java
View File

@ -3,15 +3,12 @@ package cz.muni.ics.jwt.assertion;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.text.ParseException;
import lombok.extern.slf4j.Slf4j;
@Slf4j
public abstract class AbstractAssertionValidator implements AssertionValidator {
private static final Logger logger = LoggerFactory.getLogger(AbstractAssertionValidator.class);
/**
* Extract issuer from claims present in JWT assertion.
* @param assertion JWT assertion object.
@ -26,7 +23,7 @@ public abstract class AbstractAssertionValidator implements AssertionValidator {
try {
claims = assertion.getJWTClaimsSet();
} catch (ParseException e) {
logger.debug("Invalid assertion claims");
log.debug("Invalid assertion claims");
return null;
}

3
perun-oidc-server/src/main/java/cz/muni/ics/jwt/assertion/impl/NullAssertionValidator.java
View File

@ -16,9 +16,8 @@
package cz.muni.ics.jwt.assertion.impl;
import cz.muni.ics.jwt.assertion.AssertionValidator;
import com.nimbusds.jwt.JWT;
import cz.muni.ics.jwt.assertion.AssertionValidator;
/**
* Reject all assertions passed in.

23
perun-oidc-server/src/main/java/cz/muni/ics/jwt/assertion/impl/SelfAssertionValidator.java
View File

@ -16,17 +16,15 @@
package cz.muni.ics.jwt.assertion.impl;
import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService;
import cz.muni.ics.jwt.assertion.AbstractAssertionValidator;
import cz.muni.ics.jwt.assertion.AssertionValidator;
import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.SignedJWT;
import cz.muni.ics.jwt.assertion.AbstractAssertionValidator;
import cz.muni.ics.jwt.assertion.AssertionValidator;
import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService;
import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;
/**
@ -35,10 +33,9 @@ import org.springframework.util.StringUtils;
* @author jricher
*/
@Component("selfAssertionValidator")
@Slf4j
public class SelfAssertionValidator extends AbstractAssertionValidator implements AssertionValidator {
private static final Logger logger = LoggerFactory.getLogger(SelfAssertionValidator.class);
private final ConfigurationPropertiesBean config;
private final JWTSigningAndValidationService jwtService;
@ -52,10 +49,10 @@ public class SelfAssertionValidator extends AbstractAssertionValidator implement
public boolean isValid(JWT assertion) {
String issuer = extractIssuer(assertion);
if (StringUtils.isEmpty(issuer)) {
logger.debug("No issuer for assertion, rejecting");
log.debug("No issuer for assertion, rejecting");
return false;
} else if (!issuer.equals(config.getIssuer())) {
logger.debug("Issuer is not the same as this server, rejecting");
log.debug("Issuer is not the same as this server, rejecting");
return false;
}

15
perun-oidc-server/src/main/java/cz/muni/ics/jwt/assertion/impl/WhitelistedIssuerAssertionValidator.java
View File

@ -18,25 +18,22 @@ package cz.muni.ics.jwt.assertion.impl;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.SignedJWT;
import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService;
import cz.muni.ics.jwt.assertion.AbstractAssertionValidator;
import cz.muni.ics.jwt.assertion.AssertionValidator;
import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService;
import cz.muni.ics.jwt.signer.service.impl.JWKSetCacheService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.StringUtils;
import java.util.HashMap;
import java.util.Map;
import lombok.extern.slf4j.Slf4j;
import org.springframework.util.StringUtils;
/**
* Checks to see if the assertion has been signed by a particular authority available from a whitelist
* @author jricher
*/
@Slf4j
public class WhitelistedIssuerAssertionValidator extends AbstractAssertionValidator implements AssertionValidator {
private static final Logger logger = LoggerFactory.getLogger(WhitelistedIssuerAssertionValidator.class);
private Map<String, String> whitelist = new HashMap<>(); //Map of issuer -> JWKSetUri
private JWKSetCacheService jwkCache;
@ -60,10 +57,10 @@ public class WhitelistedIssuerAssertionValidator extends AbstractAssertionValida
public boolean isValid(JWT assertion) {
String issuer = extractIssuer(assertion);
if (StringUtils.isEmpty(issuer)) {
logger.debug("No issuer for assertion, rejecting");
log.debug("No issuer for assertion, rejecting");
return false;
} else if (!whitelist.containsKey(issuer)) {
logger.debug("Issuer is not in whitelist, rejecting");
log.debug("Issuer is not in whitelist, rejecting");
return false;
}

5
perun-oidc-server/src/main/java/cz/muni/ics/jwt/encryption/service/JWTEncryptionAndDecryptionService.java
View File

@ -17,13 +17,12 @@
*******************************************************************************/
package cz.muni.ics.jwt.encryption.service;
import java.util.Collection;
import java.util.Map;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.jwk.JWK;
import java.util.Collection;
import java.util.Map;
/**
* @author wkim

37
perun-oidc-server/src/main/java/cz/muni/ics/jwt/encryption/service/impl/DefaultJWTEncryptionAndDecryptionService.java
View File

@ -17,26 +17,13 @@
*******************************************************************************/
package cz.muni.ics.jwt.encryption.service.impl;
import cz.muni.ics.jose.keystore.JWKSetKeyStore;
import cz.muni.ics.jwt.encryption.service.JWTEncryptionAndDecryptionService;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.annotation.PostConstruct;
import com.nimbusds.jose.KeyLengthException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEDecrypter;
import com.nimbusds.jose.JWEEncrypter;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.KeyLengthException;
import com.nimbusds.jose.crypto.DirectDecrypter;
import com.nimbusds.jose.crypto.DirectEncrypter;
import com.nimbusds.jose.crypto.ECDHDecrypter;
@ -48,15 +35,23 @@ import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.OctetSequenceKey;
import com.nimbusds.jose.jwk.RSAKey;
import cz.muni.ics.jose.keystore.JWKSetKeyStore;
import cz.muni.ics.jwt.encryption.service.JWTEncryptionAndDecryptionService;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.annotation.PostConstruct;
import lombok.extern.slf4j.Slf4j;
import org.springframework.util.StringUtils;
/**
* @author wkim
*/
@Slf4j
public class DefaultJWTEncryptionAndDecryptionService implements JWTEncryptionAndDecryptionService {
private static final Logger logger = LoggerFactory.getLogger(DefaultJWTEncryptionAndDecryptionService.class);
private final Map<String, JWEEncrypter> encrypters = new HashMap<>();
private final Map<String, JWEDecrypter> decrypters = new HashMap<>();
private String defaultEncryptionKeyId;
@ -157,7 +152,7 @@ public class DefaultJWTEncryptionAndDecryptionService implements JWTEncryptionAn
try {
jwt.encrypt(encrypter);
} catch (JOSEException e) {
logger.error("Failed to encrypt JWT, error was: ", e);
log.error("Failed to encrypt JWT, error was: ", e);
}
}
@ -172,7 +167,7 @@ public class DefaultJWTEncryptionAndDecryptionService implements JWTEncryptionAn
try {
jwt.decrypt(decrypter);
} catch (JOSEException e) {
logger.error("Failed to decrypt JWT, error was: ", e);
log.error("Failed to decrypt JWT, error was: ", e);
}
}
@ -238,7 +233,7 @@ public class DefaultJWTEncryptionAndDecryptionService implements JWTEncryptionAn
} else if (jwk instanceof OctetSequenceKey) {
handleOctetSeqKey(id, jwk);
} else {
logger.warn("Unknown key type: {}", jwk);
log.warn("Unknown key type: {}", jwk);
}
}
}
@ -263,7 +258,7 @@ public class DefaultJWTEncryptionAndDecryptionService implements JWTEncryptionAn
decrypter.getJCAContext().setProvider(BouncyCastleProviderSingleton.getInstance());
decrypters.put(id, decrypter);
} else {
logger.warn("No private key for key #{}", jwk.getKeyID());
log.warn("No private key for key #{}", jwk.getKeyID());
}
}
@ -277,7 +272,7 @@ public class DefaultJWTEncryptionAndDecryptionService implements JWTEncryptionAn
decrypter.getJCAContext().setProvider(BouncyCastleProviderSingleton.getInstance());
decrypters.put(id, decrypter);
} else {
logger.warn("No private key for key #{}", jwk.getKeyID());
log.warn("No private key for key #{}", jwk.getKeyID());
}
}

7
perun-oidc-server/src/main/java/cz/muni/ics/jwt/signer/service/JWTSigningAndValidationService.java
View File

@ -17,13 +17,12 @@
*******************************************************************************/
package cz.muni.ics.jwt.signer.service;
import java.security.NoSuchAlgorithmException;
import java.util.Collection;
import java.util.Map;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jwt.SignedJWT;
import java.security.NoSuchAlgorithmException;
import java.util.Collection;
import java.util.Map;
public interface JWTSigningAndValidationService {

44
perun-oidc-server/src/main/java/cz/muni/ics/jwt/signer/service/impl/ClientKeyCacheService.java
View File

@ -16,22 +16,6 @@
package cz.muni.ics.jwt.signer.service.impl;
import cz.muni.ics.jose.keystore.JWKSetKeyStore;
import cz.muni.ics.jwt.encryption.service.JWTEncryptionAndDecryptionService;
import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import cz.muni.ics.jwt.encryption.service.impl.DefaultJWTEncryptionAndDecryptionService;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import com.google.common.base.Strings;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
@ -39,6 +23,19 @@ import com.google.common.cache.LoadingCache;
import com.google.common.util.concurrent.UncheckedExecutionException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWKSet;
import cz.muni.ics.jose.keystore.JWKSetKeyStore;
import cz.muni.ics.jwt.encryption.service.JWTEncryptionAndDecryptionService;
import cz.muni.ics.jwt.encryption.service.impl.DefaultJWTEncryptionAndDecryptionService;
import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.util.StringUtils;
/**
@ -48,14 +45,13 @@ import org.springframework.util.StringUtils;
* @author jricher
*/
@Service
@Slf4j
public class ClientKeyCacheService {
private static Logger logger = LoggerFactory.getLogger(ClientKeyCacheService.class);
private JWKSetCacheService jwksUriCache;
private SymmetricKeyJWTValidatorCacheService symmetricCache;
private LoadingCache<JWKSet, JWTSigningAndValidationService> jwksValidators;
private LoadingCache<JWKSet, JWTEncryptionAndDecryptionService> jwksEncrypters;
private final JWKSetCacheService jwksUriCache;
private final SymmetricKeyJWTValidatorCacheService symmetricCache;
private final LoadingCache<JWKSet, JWTSigningAndValidationService> jwksValidators;
private final LoadingCache<JWKSet, JWTEncryptionAndDecryptionService> jwksEncrypters;
@Autowired
public ClientKeyCacheService(JWKSetCacheService jwksUriCache, SymmetricKeyJWTValidatorCacheService symmetricCache) {
@ -103,7 +99,7 @@ public class ClientKeyCacheService {
return null;
}
} catch (UncheckedExecutionException | ExecutionException e) {
logger.error("Problem loading client validator", e);
log.error("Problem loading client validator", e);
return null;
}
}
@ -118,7 +114,7 @@ public class ClientKeyCacheService {
return null;
}
} catch (UncheckedExecutionException | ExecutionException e) {
logger.error("Problem loading client encrypter", e);
log.error("Problem loading client encrypter", e);
return null;
}
}

22
perun-oidc-server/src/main/java/cz/muni/ics/jwt/signer/service/impl/DefaultJWTSigningAndValidationService.java
View File

@ -18,7 +18,6 @@
package cz.muni.ics.jwt.signer.service.impl;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSProvider;
import com.nimbusds.jose.JWSSigner;
@ -36,21 +35,18 @@ import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jwt.SignedJWT;
import cz.muni.ics.jose.keystore.JWKSetKeyStore;
import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.StringUtils;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import lombok.extern.slf4j.Slf4j;
import org.springframework.util.StringUtils;
@Slf4j
public class DefaultJWTSigningAndValidationService implements JWTSigningAndValidationService {
private static final Logger logger = LoggerFactory.getLogger(DefaultJWTSigningAndValidationService.class);
private final Map<String, JWSSigner> signers = new HashMap<>();
private final Map<String, JWSVerifier> verifiers = new HashMap<>();
@ -126,7 +122,7 @@ public class DefaultJWTSigningAndValidationService implements JWTSigningAndValid
try {
jwt.sign(signer);
} catch (JOSEException e) {
logger.error("Failed to sign JWT, error was: ", e);
log.error("Failed to sign JWT, error was: ", e);
}
}
@ -142,12 +138,12 @@ public class DefaultJWTSigningAndValidationService implements JWTSigningAndValid
}
if (signer == null) {
logger.error("No matching algorithm found for alg={}", alg);
log.error("No matching algorithm found for alg={}", alg);
} else {
try {
jwt.sign(signer);
} catch (JOSEException e) {
logger.error("Failed to sign JWT, error was: ", e);
log.error("Failed to sign JWT, error was: ", e);
}
}
}
@ -158,7 +154,7 @@ public class DefaultJWTSigningAndValidationService implements JWTSigningAndValid
try {
return jwt.verify(verifier);
} catch (JOSEException e) {
logger.error("Failed to validate signature with {} error message: {}", verifier, e.getMessage());
log.error("Failed to validate signature with {} error message: {}", verifier, e.getMessage());
}
}
@ -201,10 +197,10 @@ public class DefaultJWTSigningAndValidationService implements JWTSigningAndValid
} else if (jwk instanceof OctetSequenceKey) {
processOctetKey(signers, verifiers, jwk, id);
} else {
logger.warn("Unknown key type: {}", jwk);
log.warn("Unknown key type: {}", jwk);
}
} catch (JOSEException e) {
logger.warn("Exception loading signer/verifier", e);
log.warn("Exception loading signer/verifier", e);
}
}

36
perun-oidc-server/src/main/java/cz/muni/ics/jwt/signer/service/impl/JWKSetCacheService.java
View File

@ -20,28 +20,25 @@
*/
package cz.muni.ics.jwt.signer.service.impl;
import cz.muni.ics.jose.keystore.JWKSetKeyStore;
import cz.muni.ics.jwt.encryption.service.JWTEncryptionAndDecryptionService;
import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import org.apache.http.client.HttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import cz.muni.ics.jwt.encryption.service.impl.DefaultJWTEncryptionAndDecryptionService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.stereotype.Service;
import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestTemplate;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.util.concurrent.UncheckedExecutionException;
import com.google.gson.JsonParseException;
import com.nimbusds.jose.jwk.JWKSet;
import cz.muni.ics.jose.keystore.JWKSetKeyStore;
import cz.muni.ics.jwt.encryption.service.JWTEncryptionAndDecryptionService;
import cz.muni.ics.jwt.encryption.service.impl.DefaultJWTEncryptionAndDecryptionService;
import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import lombok.extern.slf4j.Slf4j;
import org.apache.http.client.HttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.stereotype.Service;
import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestTemplate;
/**
* Creates a caching map of JOSE signers/validators and encrypters/decryptors
@ -50,10 +47,9 @@ import com.nimbusds.jose.jwk.JWKSet;
* @author jricher
*/
@Service
@Slf4j
public class JWKSetCacheService {
private static final Logger logger = LoggerFactory.getLogger(JWKSetCacheService.class);
private final LoadingCache<String, JWTSigningAndValidationService> validators;
private final LoadingCache<String, JWTEncryptionAndDecryptionService> encrypters;
@ -72,7 +68,7 @@ public class JWKSetCacheService {
try {
return validators.get(jwksUri);
} catch (UncheckedExecutionException | ExecutionException e) {
logger.warn("Couldn't load JWK Set from {}: {}", jwksUri, e.getMessage());
log.warn("Couldn't load JWK Set from {}: {}", jwksUri, e.getMessage());
return null;
}
}
@ -81,7 +77,7 @@ public class JWKSetCacheService {
try {
return encrypters.get(jwksUri);
} catch (UncheckedExecutionException | ExecutionException e) {
logger.warn("Couldn't load JWK Set from {}: {}", jwksUri, e.getMessage());
log.warn("Couldn't load JWK Set from {}: {}", jwksUri, e.getMessage());
return null;
}
}

17
perun-oidc-server/src/main/java/cz/muni/ics/jwt/signer/service/impl/SymmetricKeyJWTValidatorCacheService.java
View File

@ -26,14 +26,12 @@ import com.nimbusds.jose.jwk.OctetSequenceKey;
import com.nimbusds.jose.util.Base64URL;
import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Service;
import org.springframework.util.StringUtils;
import java.util.Map;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import lombok.extern.slf4j.Slf4j;
import org.springframework.stereotype.Service;
import org.springframework.util.StringUtils;
/**
* Creates and caches symmetrical validators for clients based on client secrets.
@ -41,10 +39,9 @@ import java.util.concurrent.TimeUnit;
* @author jricher
*/
@Service
@Slf4j
public class SymmetricKeyJWTValidatorCacheService {
private static final Logger logger = LoggerFactory.getLogger(SymmetricKeyJWTValidatorCacheService.class);
private final LoadingCache<String, JWTSigningAndValidationService> validators;
public SymmetricKeyJWTValidatorCacheService() {
@ -56,17 +53,17 @@ public class SymmetricKeyJWTValidatorCacheService {
public JWTSigningAndValidationService getSymmetricValidator(ClientDetailsEntity client) {
if (client == null) {
logger.error("Couldn't create symmetric validator for null client");
log.error("Couldn't create symmetric validator for null client");
return null;
} else if (StringUtils.isEmpty(client.getClientSecret())) {
logger.error("Couldn't create symmetric validator for client {} without a client secret", client.getClientId());
log.error("Couldn't create symmetric validator for client {} without a client secret", client.getClientId());
return null;
}
try {
return validators.get(client.getClientSecret());
} catch (UncheckedExecutionException | ExecutionException ue) {
logger.error("Problem loading client validator", ue);
log.error("Problem loading client validator", ue);
return null;
}
}

13
perun-oidc-server/src/main/java/cz/muni/ics/mdc/MultiMDCFilter.java
View File

@ -1,20 +1,17 @@
package cz.muni.ics.mdc;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.MDC;
import org.springframework.web.filter.GenericFilterBean;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import java.io.IOException;
import lombok.extern.slf4j.Slf4j;
import org.slf4j.MDC;
import org.springframework.web.filter.GenericFilterBean;
@Slf4j
public class MultiMDCFilter extends GenericFilterBean {
private static final Logger log = LoggerFactory.getLogger(MultiMDCFilter.class);
private final RemoteAddressMDCFilter remoteAddressMDCFilter;
private final SessionIdMDCFilter sessionIdMDCFilter;

3
perun-oidc-server/src/main/java/cz/muni/ics/mdc/RemoteAddressMDCFilter.java
View File

@ -1,9 +1,8 @@
package cz.muni.ics.mdc;
import org.slf4j.MDC;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import org.slf4j.MDC;
public class RemoteAddressMDCFilter {

3
perun-oidc-server/src/main/java/cz/muni/ics/mdc/SessionIdMDCFilter.java
View File

@ -1,9 +1,8 @@
package cz.muni.ics.mdc;
import org.slf4j.MDC;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import org.slf4j.MDC;
public class SessionIdMDCFilter {

3
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/assertion/AssertionOAuth2RequestFactory.java
View File

@ -16,12 +16,11 @@
package cz.muni.ics.oauth2.assertion;
import com.nimbusds.jwt.JWT;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.security.oauth2.provider.TokenRequest;
import com.nimbusds.jwt.JWT;
/**
* Take in an assertion and token request and generate an OAuth2Request from it, including scopes and other important components
*

10
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/assertion/impl/DirectCopyRequestFactory.java
View File

@ -16,19 +16,17 @@
package cz.muni.ics.oauth2.assertion.impl;
import com.google.common.collect.Sets;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import cz.muni.ics.oauth2.assertion.AssertionOAuth2RequestFactory;
import java.text.ParseException;
import java.util.Set;
import cz.muni.ics.oauth2.assertion.AssertionOAuth2RequestFactory;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.security.oauth2.provider.TokenRequest;
import com.google.common.collect.Sets;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
/**
* Takes an assertion from a trusted source, looks for the fields:
*

2
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/AuthenticationHolderEntity.java
View File

@ -25,7 +25,6 @@ import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.persistence.Basic;
import javax.persistence.CascadeType;
import javax.persistence.CollectionTable;
@ -44,7 +43,6 @@ import javax.persistence.NamedQuery;
import javax.persistence.OneToOne;
import javax.persistence.Table;
import javax.persistence.Transient;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request;

1
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/AuthorizationCodeEntity.java
View File

@ -18,7 +18,6 @@
package cz.muni.ics.oauth2.model;
import java.util.Date;
import javax.persistence.Basic;
import javax.persistence.Column;
import javax.persistence.Entity;

15
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/ClientDetailsEntity.java
View File

@ -32,9 +32,11 @@ import cz.muni.ics.oauth2.model.convert.JWSAlgorithmStringConverter;
import cz.muni.ics.oauth2.model.convert.JWTStringConverter;
import cz.muni.ics.oauth2.model.convert.PKCEAlgorithmStringConverter;
import cz.muni.ics.oauth2.model.convert.SimpleGrantedAuthorityStringConverter;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.oauth2.provider.ClientDetails;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.persistence.Basic;
import javax.persistence.CollectionTable;
import javax.persistence.Column;
@ -56,11 +58,8 @@ import javax.persistence.Table;
import javax.persistence.Temporal;
import javax.persistence.TemporalType;
import javax.persistence.Transient;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.oauth2.provider.ClientDetails;
/**
* @author jricher

1
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/DeviceCode.java
View File

@ -19,7 +19,6 @@ package cz.muni.ics.oauth2.model;
import java.util.Date;
import java.util.Map;
import java.util.Set;
import javax.persistence.Basic;
import javax.persistence.CollectionTable;
import javax.persistence.Column;

11
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/OAuth2AccessTokenEntity.java
View File

@ -20,11 +20,14 @@
*/
package cz.muni.ics.oauth2.model;
import com.nimbusds.jwt.JWT;
import cz.muni.ics.oauth2.model.convert.JWTStringConverter;
import cz.muni.ics.openid.connect.model.ApprovedSite;
import cz.muni.ics.uma.model.Permission;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import javax.persistence.Basic;
import javax.persistence.CascadeType;
import javax.persistence.CollectionTable;
@ -45,17 +48,11 @@ import javax.persistence.OneToMany;
import javax.persistence.Table;
import javax.persistence.Temporal;
import javax.persistence.Transient;
import cz.muni.ics.oauth2.model.convert.JWTStringConverter;
import cz.muni.ics.openid.connect.model.ApprovedSite;
import cz.muni.ics.uma.model.Permission;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.OAuth2AccessTokenJackson2Deserializer;
import org.springframework.security.oauth2.common.OAuth2AccessTokenJackson2Serializer;
import org.springframework.security.oauth2.common.OAuth2RefreshToken;
import com.nimbusds.jwt.JWT;
/**
* @author jricher
*

7
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/OAuth2RefreshTokenEntity.java
View File

@ -20,8 +20,9 @@
*/
package cz.muni.ics.oauth2.model;
import com.nimbusds.jwt.JWT;
import cz.muni.ics.oauth2.model.convert.JWTStringConverter;
import java.util.Date;
import javax.persistence.Basic;
import javax.persistence.Column;
import javax.persistence.Convert;
@ -37,12 +38,8 @@ import javax.persistence.NamedQuery;
import javax.persistence.Table;
import javax.persistence.Temporal;
import javax.persistence.Transient;
import cz.muni.ics.oauth2.model.convert.JWTStringConverter;
import org.springframework.security.oauth2.common.OAuth2RefreshToken;
import com.nimbusds.jwt.JWT;
/**
* @author jricher
*/

3
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/RegisteredClient.java
View File

@ -26,11 +26,10 @@ import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jwt.JWT;
import org.springframework.security.core.GrantedAuthority;
import java.util.Date;
import java.util.Map;
import java.util.Set;
import org.springframework.security.core.GrantedAuthority;
/**
* @author jricher

2
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/SavedUserAuthentication.java
View File

@ -19,7 +19,6 @@ package cz.muni.ics.oauth2.model;
import cz.muni.ics.oauth2.model.convert.SimpleGrantedAuthorityStringConverter;
import java.util.Collection;
import java.util.HashSet;
import javax.persistence.Basic;
import javax.persistence.CollectionTable;
import javax.persistence.Column;
@ -33,7 +32,6 @@ import javax.persistence.Id;
import javax.persistence.JoinColumn;
import javax.persistence.Table;
import javax.persistence.Transient;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;

3
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/convert/JWEAlgorithmStringConverter.java
View File

@ -16,11 +16,10 @@
package cz.muni.ics.oauth2.model.convert;
import com.nimbusds.jose.JWEAlgorithm;
import javax.persistence.AttributeConverter;
import javax.persistence.Converter;
import com.nimbusds.jose.JWEAlgorithm;
@Converter
public class JWEAlgorithmStringConverter implements AttributeConverter<JWEAlgorithm, String> {

3
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/convert/JWEEncryptionMethodStringConverter.java
View File

@ -16,11 +16,10 @@
package cz.muni.ics.oauth2.model.convert;
import com.nimbusds.jose.EncryptionMethod;
import javax.persistence.AttributeConverter;
import javax.persistence.Converter;
import com.nimbusds.jose.EncryptionMethod;
@Converter
public class JWEEncryptionMethodStringConverter implements AttributeConverter<EncryptionMethod, String> {

13
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/convert/JWKSetStringConverter.java
View File

@ -16,24 +16,19 @@
package cz.muni.ics.oauth2.model.convert;
import com.nimbusds.jose.jwk.JWKSet;
import java.text.ParseException;
import javax.persistence.AttributeConverter;
import javax.persistence.Converter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.nimbusds.jose.jwk.JWKSet;
import lombok.extern.slf4j.Slf4j;
/**
* @author jricher
*/
@Converter
@Slf4j
public class JWKSetStringConverter implements AttributeConverter<JWKSet, String> {
private static Logger logger = LoggerFactory.getLogger(JWKSetStringConverter.class);
@Override
public String convertToDatabaseColumn(JWKSet attribute) {
return attribute != null ? attribute.toString() : null;
@ -45,7 +40,7 @@ public class JWKSetStringConverter implements AttributeConverter<JWKSet, String>
try {
return JWKSet.parse(dbData);
} catch (ParseException e) {
logger.error("Unable to parse JWK Set", e);
log.error("Unable to parse JWK Set", e);
return null;
}
} else {

3
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/convert/JWSAlgorithmStringConverter.java
View File

@ -16,11 +16,10 @@
package cz.muni.ics.oauth2.model.convert;
import com.nimbusds.jose.JWSAlgorithm;
import javax.persistence.AttributeConverter;
import javax.persistence.Converter;
import com.nimbusds.jose.JWSAlgorithm;
@Converter
public class JWSAlgorithmStringConverter implements AttributeConverter<JWSAlgorithm, String> {

17
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/convert/JWTStringConverter.java
View File

@ -16,25 +16,20 @@
package cz.muni.ics.oauth2.model.convert;
import java.text.ParseException;
import javax.persistence.AttributeConverter;
import javax.persistence.Converter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
import java.text.ParseException;
import javax.persistence.AttributeConverter;
import javax.persistence.Converter;
import lombok.extern.slf4j.Slf4j;
/**
* @author jricher
*/
@Converter
@Slf4j
public class JWTStringConverter implements AttributeConverter<JWT, String> {
public static Logger logger = LoggerFactory.getLogger(JWTStringConverter.class);
@Override
public String convertToDatabaseColumn(JWT attribute) {
return attribute != null ? attribute.serialize() : null;
@ -46,7 +41,7 @@ public class JWTStringConverter implements AttributeConverter<JWT, String> {
try {
return JWTParser.parse(dbData);
} catch (ParseException e) {
logger.error("Unable to parse JWT", e);
log.error("Unable to parse JWT", e);
return null;
}
} else {

7
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/convert/JsonElementStringConverter.java
View File

@ -16,11 +16,10 @@
package cz.muni.ics.oauth2.model.convert;
import javax.persistence.AttributeConverter;
import javax.persistence.Converter;
import com.google.gson.JsonElement;
import com.google.gson.JsonParser;
import javax.persistence.AttributeConverter;
import javax.persistence.Converter;
import org.springframework.util.StringUtils;
/**
@ -29,7 +28,7 @@ import org.springframework.util.StringUtils;
@Converter
public class JsonElementStringConverter implements AttributeConverter<JsonElement, String> {
private JsonParser parser = new JsonParser();
private final JsonParser parser = new JsonParser();
@Override
public String convertToDatabaseColumn(JsonElement attribute) {

3
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/convert/PKCEAlgorithmStringConverter.java
View File

@ -16,11 +16,10 @@
package cz.muni.ics.oauth2.model.convert;
import cz.muni.ics.oauth2.model.PKCEAlgorithm;
import javax.persistence.AttributeConverter;
import javax.persistence.Converter;
import cz.muni.ics.oauth2.model.PKCEAlgorithm;
/**
* @author jricher
*

10
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/convert/SerializableStringConverter.java
View File

@ -18,12 +18,9 @@ package cz.muni.ics.oauth2.model.convert;
import java.io.Serializable;
import java.util.Date;
import javax.persistence.AttributeConverter;
import javax.persistence.Converter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import lombok.extern.slf4j.Slf4j;
/**
* Translates a Serializable object of certain primitive types
@ -35,10 +32,9 @@ import org.slf4j.LoggerFactory;
* @author jricher
*/
@Converter
@Slf4j
public class SerializableStringConverter implements AttributeConverter<Serializable, String> {
private static Logger logger = LoggerFactory.getLogger(SerializableStringConverter.class);
@Override
public String convertToDatabaseColumn(Serializable attribute) {
if (attribute == null) {
@ -50,7 +46,7 @@ public class SerializableStringConverter implements AttributeConverter<Serializa
} else if (attribute instanceof Date) {
return Long.toString(((Date)attribute).getTime());
} else {
logger.warn("Dropping data from request: {} :: {}", attribute, attribute.getClass());
log.warn("Dropping data from request: {} :: {}", attribute, attribute.getClass());
return null;
}
}

1
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/convert/SimpleGrantedAuthorityStringConverter.java
View File

@ -18,7 +18,6 @@ package cz.muni.ics.oauth2.model.convert;
import javax.persistence.AttributeConverter;
import javax.persistence.Converter;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
/**

3
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/repository/AuthenticationHolderRepository.java
View File

@ -18,9 +18,8 @@
package cz.muni.ics.oauth2.repository;
import cz.muni.ics.data.PageCriteria;
import java.util.List;
import cz.muni.ics.oauth2.model.AuthenticationHolderEntity;
import java.util.List;
public interface AuthenticationHolderRepository {

3
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/repository/AuthorizationCodeRepository.java
View File

@ -18,9 +18,8 @@
package cz.muni.ics.oauth2.repository;
import cz.muni.ics.data.PageCriteria;
import java.util.Collection;
import cz.muni.ics.oauth2.model.AuthorizationCodeEntity;
import java.util.Collection;
/**
* Interface for saving and consuming OAuth2 authorization codes as AuthorizationCodeEntitys.

3
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/repository/OAuth2ClientRepository.java
View File

@ -17,9 +17,8 @@
*******************************************************************************/
package cz.muni.ics.oauth2.repository;
import java.util.Collection;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import java.util.Collection;
public interface OAuth2ClientRepository {

9
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/repository/OAuth2TokenRepository.java
View File

@ -17,15 +17,14 @@
*******************************************************************************/
package cz.muni.ics.oauth2.repository;
import cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity;
import cz.muni.ics.oauth2.model.OAuth2RefreshTokenEntity;
import java.util.List;
import java.util.Set;
import cz.muni.ics.data.PageCriteria;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity;
import cz.muni.ics.oauth2.model.OAuth2RefreshTokenEntity;
import cz.muni.ics.openid.connect.model.ApprovedSite;
import cz.muni.ics.uma.model.ResourceSet;
import java.util.List;
import java.util.Set;
public interface OAuth2TokenRepository {

3
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/repository/SystemScopeRepository.java
View File

@ -20,9 +20,8 @@
*/
package cz.muni.ics.oauth2.repository;
import java.util.Set;
import cz.muni.ics.oauth2.model.SystemScope;
import java.util.Set;
/**
* @author jricher

3
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/repository/impl/DeviceCodeRepository.java
View File

@ -16,9 +16,8 @@
package cz.muni.ics.oauth2.repository.impl;
import java.util.Collection;
import cz.muni.ics.oauth2.model.DeviceCode;
import java.util.Collection;
/**
* @author jricher

6
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/repository/impl/JpaAuthenticationHolderRepository.java
View File

@ -19,15 +19,13 @@ package cz.muni.ics.oauth2.repository.impl;
import cz.muni.ics.data.DefaultPageCriteria;
import cz.muni.ics.data.PageCriteria;
import cz.muni.ics.oauth2.model.AuthenticationHolderEntity;
import cz.muni.ics.oauth2.repository.AuthenticationHolderRepository;
import cz.muni.ics.util.jpa.JpaUtil;
import java.util.List;
import javax.persistence.EntityManager;
import javax.persistence.PersistenceContext;
import javax.persistence.TypedQuery;
import cz.muni.ics.oauth2.model.AuthenticationHolderEntity;
import cz.muni.ics.oauth2.repository.AuthenticationHolderRepository;
import org.springframework.stereotype.Repository;
import org.springframework.transaction.annotation.Transactional;

4
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/repository/impl/JpaAuthorizationCodeRepository.java
View File

@ -21,16 +21,14 @@
package cz.muni.ics.oauth2.repository.impl;
import cz.muni.ics.data.PageCriteria;
import cz.muni.ics.oauth2.model.AuthorizationCodeEntity;
import cz.muni.ics.oauth2.repository.AuthorizationCodeRepository;
import cz.muni.ics.util.jpa.JpaUtil;
import java.util.Collection;
import java.util.Date;
import javax.persistence.EntityManager;
import javax.persistence.PersistenceContext;
import javax.persistence.TypedQuery;
import cz.muni.ics.oauth2.model.AuthorizationCodeEntity;
import org.springframework.stereotype.Repository;
import org.springframework.transaction.annotation.Transactional;

4
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/repository/impl/JpaDeviceCodeRepository.java
View File

@ -18,15 +18,13 @@
*/
package cz.muni.ics.oauth2.repository.impl;
import cz.muni.ics.oauth2.model.DeviceCode;
import cz.muni.ics.util.jpa.JpaUtil;
import java.util.Collection;
import java.util.Date;
import javax.persistence.EntityManager;
import javax.persistence.PersistenceContext;
import javax.persistence.TypedQuery;
import cz.muni.ics.oauth2.model.DeviceCode;
import org.springframework.stereotype.Repository;
import org.springframework.transaction.annotation.Transactional;

6
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/repository/impl/JpaOAuth2ClientRepository.java
View File

@ -17,15 +17,13 @@
*******************************************************************************/
package cz.muni.ics.oauth2.repository.impl;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oauth2.repository.OAuth2ClientRepository;
import cz.muni.ics.util.jpa.JpaUtil;
import java.util.Collection;
import javax.persistence.EntityManager;
import javax.persistence.PersistenceContext;
import javax.persistence.TypedQuery;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oauth2.repository.OAuth2ClientRepository;
import org.springframework.stereotype.Repository;
import org.springframework.transaction.annotation.Transactional;

33
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/repository/impl/JpaOAuth2TokenRepository.java
View File

@ -17,9 +17,17 @@
*******************************************************************************/
package cz.muni.ics.oauth2.repository.impl;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
import cz.muni.ics.data.DefaultPageCriteria;
import cz.muni.ics.data.PageCriteria;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity;
import cz.muni.ics.oauth2.model.OAuth2RefreshTokenEntity;
import cz.muni.ics.oauth2.repository.OAuth2TokenRepository;
import cz.muni.ics.openid.connect.model.ApprovedSite;
import cz.muni.ics.uma.model.ResourceSet;
import cz.muni.ics.util.jpa.JpaUtil;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Date;
@ -27,7 +35,6 @@ import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
import javax.persistence.EntityManager;
import javax.persistence.PersistenceContext;
import javax.persistence.Query;
@ -35,28 +42,16 @@ import javax.persistence.TypedQuery;
import javax.persistence.criteria.CriteriaBuilder;
import javax.persistence.criteria.CriteriaDelete;
import javax.persistence.criteria.Root;
import cz.muni.ics.data.DefaultPageCriteria;
import cz.muni.ics.data.PageCriteria;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.openid.connect.model.ApprovedSite;
import cz.muni.ics.uma.model.ResourceSet;
import cz.muni.ics.util.jpa.JpaUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import lombok.extern.slf4j.Slf4j;
import org.springframework.stereotype.Repository;
import org.springframework.transaction.annotation.Transactional;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
@Repository
@Slf4j
public class JpaOAuth2TokenRepository implements OAuth2TokenRepository {
private static final int MAXEXPIREDRESULTS = 1000;
private static final Logger logger = LoggerFactory.getLogger(JpaOAuth2TokenRepository.class);
@PersistenceContext(unitName="defaultPersistenceUnit")
private EntityManager manager;
@ -242,7 +237,7 @@ public class JpaOAuth2TokenRepository implements OAuth2TokenRepository {
List<Object[]> resultList = query.getResultList();
List<JWT> values = new ArrayList<>();
for (Object[] r : resultList) {
logger.warn("Found duplicate access tokens: {}, {}", ((JWT)r[0]).serialize(), r[1]);
log.warn("Found duplicate access tokens: {}, {}", ((JWT)r[0]).serialize(), r[1]);
values.add((JWT) r[0]);
}
if (values.size() > 0) {
@ -251,7 +246,7 @@ public class JpaOAuth2TokenRepository implements OAuth2TokenRepository {
Root<OAuth2AccessTokenEntity> root = criteriaDelete.from(OAuth2AccessTokenEntity.class);
criteriaDelete.where(root.get("jwt").in(values));
int result = manager.createQuery(criteriaDelete).executeUpdate();
logger.warn("Deleted {} duplicate access tokens", result);
log.warn("Deleted {} duplicate access tokens", result);
}
}
@ -263,7 +258,7 @@ public class JpaOAuth2TokenRepository implements OAuth2TokenRepository {
List<Object[]> resultList = query.getResultList();
List<JWT> values = new ArrayList<>();
for (Object[] r : resultList) {
logger.warn("Found duplicate refresh tokens: {}, {}", ((JWT)r[0]).serialize(), r[1]);
log.warn("Found duplicate refresh tokens: {}, {}", ((JWT)r[0]).serialize(), r[1]);
values.add((JWT) r[0]);
}
if (values.size() > 0) {
@ -272,7 +267,7 @@ public class JpaOAuth2TokenRepository implements OAuth2TokenRepository {
Root<OAuth2RefreshTokenEntity> root = criteriaDelete.from(OAuth2RefreshTokenEntity.class);
criteriaDelete.where(root.get("jwt").in(values));
int result = manager.createQuery(criteriaDelete).executeUpdate();
logger.warn("Deleted {} duplicate refresh tokens", result);
log.warn("Deleted {} duplicate refresh tokens", result);
}
}

6
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/repository/impl/JpaSystemScopeRepository.java
View File

@ -20,16 +20,14 @@
*/
package cz.muni.ics.oauth2.repository.impl;
import cz.muni.ics.oauth2.model.SystemScope;
import cz.muni.ics.oauth2.repository.SystemScopeRepository;
import cz.muni.ics.util.jpa.JpaUtil;
import java.util.LinkedHashSet;
import java.util.Set;
import javax.persistence.EntityManager;
import javax.persistence.PersistenceContext;
import javax.persistence.TypedQuery;
import cz.muni.ics.oauth2.model.SystemScope;
import cz.muni.ics.oauth2.repository.SystemScopeRepository;
import org.springframework.stereotype.Repository;
import org.springframework.transaction.annotation.Transactional;

19
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/ClientDetailsEntityService.java
View File

@ -17,29 +17,28 @@
*******************************************************************************/
package cz.muni.ics.oauth2.service;
import java.util.Collection;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import java.util.Collection;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.security.oauth2.provider.ClientDetailsService;
public interface ClientDetailsEntityService extends ClientDetailsService {
public ClientDetailsEntity saveNewClient(ClientDetailsEntity client);
ClientDetailsEntity saveNewClient(ClientDetailsEntity client);
public ClientDetailsEntity getClientById(Long id);
ClientDetailsEntity getClientById(Long id);
@Override
public ClientDetailsEntity loadClientByClientId(String clientId) throws OAuth2Exception;
ClientDetailsEntity loadClientByClientId(String clientId) throws OAuth2Exception;
public void deleteClient(ClientDetailsEntity client);
void deleteClient(ClientDetailsEntity client);
public ClientDetailsEntity updateClient(ClientDetailsEntity oldClient, ClientDetailsEntity newClient);
ClientDetailsEntity updateClient(ClientDetailsEntity oldClient, ClientDetailsEntity newClient);
public Collection<ClientDetailsEntity> getAllClients();
Collection<ClientDetailsEntity> getAllClients();
public ClientDetailsEntity generateClientId(ClientDetailsEntity client);
ClientDetailsEntity generateClientId(ClientDetailsEntity client);
public ClientDetailsEntity generateClientSecret(ClientDetailsEntity client);
ClientDetailsEntity generateClientSecret(ClientDetailsEntity client);
}

1
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/DeviceCodeService.java
View File

@ -21,7 +21,6 @@ import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oauth2.model.DeviceCode;
import java.util.Map;
import java.util.Set;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.OAuth2Authentication;

1
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/IntrospectionResultAssembler.java
View File

@ -21,7 +21,6 @@ import cz.muni.ics.openid.connect.model.UserInfo;
import java.text.SimpleDateFormat;
import java.util.Map;
import java.util.Set;
import javax.swing.text.DateFormatter;
/**

1
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/OAuth2TokenEntityService.java
View File

@ -22,7 +22,6 @@ import cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity;
import cz.muni.ics.oauth2.model.OAuth2RefreshTokenEntity;
import java.util.List;
import java.util.Set;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;

18
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/BlacklistAwareRedirectResolver.java
View File

@ -21,8 +21,12 @@ package cz.muni.ics.oauth2.service.impl;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean;
import cz.muni.ics.openid.connect.service.BlacklistedSiteService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
import org.springframework.security.oauth2.common.exceptions.InvalidRequestException;
@ -31,19 +35,12 @@ import org.springframework.security.oauth2.common.exceptions.RedirectMismatchExc
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.endpoint.RedirectResolver;
import org.springframework.stereotype.Component;
import org.springframework.util.Assert;
import org.springframework.util.MultiValueMap;
import org.springframework.util.StringUtils;
import org.springframework.web.util.UriComponents;
import org.springframework.web.util.UriComponentsBuilder;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
/**
*
* A redirect resolver that knows how to check against the blacklisted URIs
@ -53,10 +50,9 @@ import java.util.Set;
*
*/
@Component("blacklistAwareRedirectResolver")
@Slf4j
public class BlacklistAwareRedirectResolver implements RedirectResolver {
private static final Logger log = LoggerFactory.getLogger(BlacklistAwareRedirectResolver.class);
@Autowired
private BlacklistedSiteService blacklistService;

6
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/DefaultClientUserDetailsService.java
View File

@ -17,7 +17,7 @@
*******************************************************************************/
package cz.muni.ics.oauth2.service.impl;
import cz.muni.ics.oauth2.service.impl.ServiceUtils;
import com.google.common.base.Strings;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean;
@ -30,8 +30,6 @@ import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
import org.springframework.stereotype.Service;
import com.google.common.base.Strings;
/**
* Shim layer to convert a ClientDetails service into a UserDetails service
*
@ -40,7 +38,7 @@ import com.google.common.base.Strings;
@Service("clientUserDetailsService")
public class DefaultClientUserDetailsService implements UserDetailsService {
private static GrantedAuthority ROLE_CLIENT = new SimpleGrantedAuthority("ROLE_CLIENT");
private static final GrantedAuthority ROLE_CLIENT = new SimpleGrantedAuthority("ROLE_CLIENT");
private ClientDetailsEntityService clientDetailsService;
private final ConfigurationPropertiesBean config;

5
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/DefaultDeviceCodeService.java
View File

@ -21,13 +21,12 @@ import cz.muni.ics.oauth2.model.AuthenticationHolderEntity;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oauth2.model.DeviceCode;
import cz.muni.ics.oauth2.repository.impl.DeviceCodeRepository;
import cz.muni.ics.oauth2.service.DeviceCodeService;
import java.util.Collection;
import java.util.Date;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import cz.muni.ics.oauth2.service.DeviceCodeService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.oauth2.common.util.RandomValueStringGenerator;
import org.springframework.security.oauth2.provider.ClientDetails;
@ -45,7 +44,7 @@ public class DefaultDeviceCodeService implements DeviceCodeService {
@Autowired
private DeviceCodeRepository repository;
private RandomValueStringGenerator randomGenerator = new RandomValueStringGenerator();
private final RandomValueStringGenerator randomGenerator = new RandomValueStringGenerator();
/* (non-Javadoc)
* @see cz.muni.ics.oauth2.service.DeviceCodeService#save(cz.muni.ics.oauth2.model.DeviceCode)

21
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/DefaultIntrospectionResultAssembler.java
View File

@ -17,34 +17,27 @@ package cz.muni.ics.oauth2.service.impl;
import static com.google.common.collect.Maps.newLinkedHashMap;
import com.google.common.base.Joiner;
import com.google.common.collect.Sets;
import cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity;
import cz.muni.ics.oauth2.model.OAuth2RefreshTokenEntity;
import cz.muni.ics.oauth2.service.IntrospectionResultAssembler;
import cz.muni.ics.openid.connect.model.UserInfo;
import cz.muni.ics.uma.model.Permission;
import java.text.ParseException;
import java.util.Map;
import java.util.Set;
import cz.muni.ics.oauth2.service.IntrospectionResultAssembler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.stereotype.Service;
import com.google.common.base.Joiner;
import com.google.common.collect.Sets;
/**
* Default implementation of the {@link IntrospectionResultAssembler} interface.
*/
@Service
@Slf4j
public class DefaultIntrospectionResultAssembler implements IntrospectionResultAssembler {
/**
* Logger for this class
*/
private static final Logger logger = LoggerFactory.getLogger(DefaultIntrospectionResultAssembler.class);
@Override
public Map<String, Object> assembleFrom(OAuth2AccessTokenEntity accessToken, UserInfo userInfo, Set<String> authScopes) {
@ -79,7 +72,7 @@ public class DefaultIntrospectionResultAssembler implements IntrospectionResultA
result.put(EXPIRES_AT, dateFormat.valueToString(accessToken.getExpiration()));
result.put(EXP, accessToken.getExpiration().getTime() / 1000L);
} catch (ParseException e) {
logger.error("Parse exception in token introspection", e);
log.error("Parse exception in token introspection", e);
}
}
@ -119,7 +112,7 @@ public class DefaultIntrospectionResultAssembler implements IntrospectionResultA
result.put(EXPIRES_AT, dateFormat.valueToString(refreshToken.getExpiration()));
result.put(EXP, refreshToken.getExpiration().getTime() / 1000L);
} catch (ParseException e) {
logger.error("Parse exception in token introspection", e);
log.error("Parse exception in token introspection", e);
}
}

9
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/DefaultOAuth2AuthorizationCodeService.java
View File

@ -27,9 +27,7 @@ import cz.muni.ics.oauth2.repository.AuthenticationHolderRepository;
import cz.muni.ics.oauth2.repository.AuthorizationCodeRepository;
import java.util.Collection;
import java.util.Date;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
import org.springframework.security.oauth2.common.util.RandomValueStringGenerator;
@ -45,9 +43,8 @@ import org.springframework.transaction.annotation.Transactional;
*
*/
@Service("defaultOAuth2AuthorizationCodeService")
@Slf4j
public class DefaultOAuth2AuthorizationCodeService implements AuthorizationCodeServices {
// Logger for this class
private static final Logger logger = LoggerFactory.getLogger(DefaultOAuth2AuthorizationCodeService.class);
@Autowired
private AuthorizationCodeRepository repository;
@ -57,7 +54,7 @@ public class DefaultOAuth2AuthorizationCodeService implements AuthorizationCodeS
private int authCodeExpirationSeconds = 60 * 5; // expire in 5 minutes by default
private RandomValueStringGenerator generator = new RandomValueStringGenerator(22);
private final RandomValueStringGenerator generator = new RandomValueStringGenerator(22);
/**
* Generate a random authorization code and create an AuthorizationCodeEntity,

50
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java
View File

@ -24,14 +24,11 @@ import com.google.common.cache.LoadingCache;
import com.google.common.util.concurrent.UncheckedExecutionException;
import com.google.gson.JsonElement;
import com.google.gson.JsonParser;
import cz.muni.ics.oauth2.repository.OAuth2TokenRepository;
import org.apache.commons.codec.binary.Base64;
import org.apache.http.client.HttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oauth2.model.ClientDetailsEntity.AuthMethod;
import cz.muni.ics.oauth2.model.SystemScope;
import cz.muni.ics.oauth2.repository.OAuth2ClientRepository;
import cz.muni.ics.oauth2.repository.OAuth2TokenRepository;
import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
import cz.muni.ics.oauth2.service.SystemScopeService;
import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean;
@ -41,17 +38,6 @@ import cz.muni.ics.openid.connect.service.BlacklistedSiteService;
import cz.muni.ics.openid.connect.service.WhitelistedSiteService;
import cz.muni.ics.uma.model.ResourceSet;
import cz.muni.ics.uma.service.ResourceSetService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.stereotype.Service;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.util.UriComponents;
import org.springframework.web.util.UriComponentsBuilder;
import java.math.BigInteger;
import java.security.SecureRandom;
import java.util.ArrayList;
@ -62,15 +48,23 @@ import java.util.Set;
import java.util.UUID;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.codec.binary.Base64;
import org.apache.http.client.HttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.stereotype.Service;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.util.UriComponents;
import org.springframework.web.util.UriComponentsBuilder;
@Service
@Slf4j
public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEntityService {
/**
* Logger for this class
*/
private static final Logger logger = LoggerFactory.getLogger(DefaultOAuth2ClientDetailsEntityService.class);
@Autowired
private OAuth2ClientRepository clientRepository;
@ -96,7 +90,7 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
private ConfigurationPropertiesBean config;
// map of sector URI -> list of redirect URIs
private LoadingCache<String, List<String>> sectorRedirects = CacheBuilder.newBuilder()
private final LoadingCache<String, List<String>> sectorRedirects = CacheBuilder.newBuilder()
.expireAfterAccess(1, TimeUnit.HOURS)
.maximumSize(100)
.build(new SectorIdentifierLoader(HttpClientBuilder.create().useSystemProperties().build()));
@ -324,7 +318,7 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
* Get the client for the given ClientID
*/
@Override
public ClientDetailsEntity loadClientByClientId(String clientId) throws OAuth2Exception, InvalidClientException, IllegalArgumentException {
public ClientDetailsEntity loadClientByClientId(String clientId) throws OAuth2Exception, IllegalArgumentException {
if (!Strings.isNullOrEmpty(clientId)) {
ClientDetailsEntity client = clientRepository.getClientByClientId(clientId);
if (client == null) {
@ -437,7 +431,7 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
@Override
public ClientDetailsEntity generateClientSecret(ClientDetailsEntity client) {
if (config.isHeartMode()) {
logger.error("[HEART mode] Can't generate a client secret, skipping step; client won't be saved due to invalid configuration");
log.error("[HEART mode] Can't generate a client secret, skipping step; client won't be saved due to invalid configuration");
client.setClientSecret(null);
} else {
client.setClientSecret(Base64.encodeBase64URLSafeString(new BigInteger(512, new SecureRandom()).toByteArray()).replace("=", ""));
@ -452,9 +446,9 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
*
*/
private class SectorIdentifierLoader extends CacheLoader<String, List<String>> {
private HttpComponentsClientHttpRequestFactory httpFactory;
private RestTemplate restTemplate;
private JsonParser parser = new JsonParser();
private final HttpComponentsClientHttpRequestFactory httpFactory;
private final RestTemplate restTemplate;
private final JsonParser parser = new JsonParser();
SectorIdentifierLoader(HttpClient httpClient) {
this.httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
@ -468,7 +462,7 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
if (config.isForceHttps()) {
throw new IllegalArgumentException("Sector identifier must start with https: " + key);
}
logger.error("Sector identifier doesn't start with https, loading anyway...");
log.error("Sector identifier doesn't start with https, loading anyway...");
}
// key is the sector URI
@ -481,7 +475,7 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
redirectUris.add(el.getAsString());
}
logger.info("Found " + redirectUris + " for sector " + key);
log.info("Found " + redirectUris + " for sector " + key);
return redirectUris;
} else {

55
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
View File

@ -20,23 +20,35 @@
*/
package cz.muni.ics.oauth2.service.impl;
import static cz.muni.ics.oauth2.service.IntrospectionResultAssembler.SCOPE;
import static cz.muni.ics.oauth2.service.IntrospectionResultAssembler.SCOPE_SEPARATOR;
import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.CODE_CHALLENGE;
import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.CODE_CHALLENGE_METHOD;
import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.CODE_VERIFIER;
import com.google.common.base.Joiner;
import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import cz.muni.ics.data.AbstractPageOperationTemplate;
import cz.muni.ics.data.DefaultPageCriteria;
import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService;
import cz.muni.ics.oauth2.model.AuthenticationHolderEntity;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity;
import cz.muni.ics.oauth2.model.OAuth2RefreshTokenEntity;
import cz.muni.ics.oauth2.model.PKCEAlgorithm;
import cz.muni.ics.oauth2.model.SystemScope;
import cz.muni.ics.oauth2.repository.AuthenticationHolderRepository;
import cz.muni.ics.oauth2.repository.OAuth2TokenRepository;
import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
import cz.muni.ics.oauth2.service.OAuth2TokenEntityService;
import cz.muni.ics.oauth2.service.SystemScopeService;
import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean;
import cz.muni.ics.openid.connect.model.ApprovedSite;
import cz.muni.ics.openid.connect.service.ApprovedSiteService;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
@ -46,21 +58,7 @@ import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.UUID;
import cz.muni.ics.data.AbstractPageOperationTemplate;
import cz.muni.ics.data.DefaultPageCriteria;
import cz.muni.ics.oauth2.model.AuthenticationHolderEntity;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oauth2.model.PKCEAlgorithm;
import cz.muni.ics.oauth2.model.SystemScope;
import cz.muni.ics.oauth2.repository.AuthenticationHolderRepository;
import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
import cz.muni.ics.oauth2.service.OAuth2TokenEntityService;
import cz.muni.ics.oauth2.service.SystemScopeService;
import cz.muni.ics.openid.connect.model.ApprovedSite;
import cz.muni.ics.openid.connect.service.ApprovedSiteService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.core.AuthenticationException;
@ -75,24 +73,15 @@ import org.springframework.security.oauth2.provider.token.TokenEnhancer;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import com.google.common.base.Strings;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.PlainJWT;
/**
* @author jricher
*
*/
@Service("defaultOAuth2ProviderTokenService")
@Slf4j
public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityService {
/**
* Logger for this class
*/
private static final Logger logger = LoggerFactory.getLogger(DefaultOAuth2ProviderTokenService.class);
@Autowired
private OAuth2TokenRepository tokenRepository;
@ -147,7 +136,7 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
return null;
} else if (token.isExpired()) {
// immediately revoke expired token
logger.debug("Clearing expired access token: " + token.getValue());
log.debug("Clearing expired access token: " + token.getValue());
revokeAccessToken(token);
return null;
} else {
@ -165,7 +154,7 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
return null;
} else if (token.isExpired()) {
// immediately revoke expired token
logger.debug("Clearing expired refresh token: " + token.getValue());
log.debug("Clearing expired refresh token: " + token.getValue());
revokeRefreshToken(token);
return null;
} else {
@ -207,7 +196,7 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
throw new InvalidRequestException("Code challenge and verifier do not match");
}
} catch (NoSuchAlgorithmException e) {
logger.error("Unknown algorithm for PKCE digest", e);
log.error("Unknown algorithm for PKCE digest", e);
}
}
@ -375,7 +364,7 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
token.setScope(scopeService.toStrings(scope));
} else {
String errorMsg = "Up-scoping is not allowed.";
logger.error(errorMsg);
log.error(errorMsg);
throw new InvalidScopeException(errorMsg);
}
} else {
@ -493,7 +482,7 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
*/
@Override
public void clearExpiredTokens() {
logger.debug("Cleaning out all expired tokens");
log.debug("Cleaning out all expired tokens");
new AbstractPageOperationTemplate<OAuth2AccessTokenEntity>("clearExpiredAccessTokens") {
@Override

26
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/DefaultSystemScopeService.java
View File

@ -20,21 +20,19 @@
*/
package cz.muni.ics.oauth2.service.impl;
import cz.muni.ics.oauth2.model.SystemScope;
import cz.muni.ics.oauth2.repository.SystemScopeRepository;
import java.util.LinkedHashSet;
import java.util.Set;
import cz.muni.ics.oauth2.service.SystemScopeService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import com.google.common.base.Function;
import com.google.common.base.Predicate;
import com.google.common.base.Predicates;
import com.google.common.base.Strings;
import com.google.common.collect.Collections2;
import com.google.common.collect.Sets;
import cz.muni.ics.oauth2.model.SystemScope;
import cz.muni.ics.oauth2.repository.SystemScopeRepository;
import cz.muni.ics.oauth2.service.SystemScopeService;
import java.util.LinkedHashSet;
import java.util.Set;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
/**
* @author jricher
@ -46,28 +44,28 @@ public class DefaultSystemScopeService implements SystemScopeService {
@Autowired
private SystemScopeRepository repository;
private Predicate<SystemScope> isDefault = new Predicate<SystemScope>() {
private final Predicate<SystemScope> isDefault = new Predicate<SystemScope>() {
@Override
public boolean apply(SystemScope input) {
return (input != null && input.isDefaultScope());
}
};
private Predicate<SystemScope> isRestricted = new Predicate<SystemScope>() {
private final Predicate<SystemScope> isRestricted = new Predicate<SystemScope>() {
@Override
public boolean apply(SystemScope input) {
return (input != null && input.isRestricted());
}
};
private Predicate<SystemScope> isReserved = new Predicate<SystemScope>() {
private final Predicate<SystemScope> isReserved = new Predicate<SystemScope>() {
@Override
public boolean apply(SystemScope input) {
return (input != null && getReserved().contains(input));
}
};
private Function<String, SystemScope> stringToSystemScope = new Function<String, SystemScope>() {
private final Function<String, SystemScope> stringToSystemScope = new Function<String, SystemScope>() {
@Override
public SystemScope apply(String input) {
if (Strings.isNullOrEmpty(input)) {
@ -85,7 +83,7 @@ public class DefaultSystemScopeService implements SystemScopeService {
}
};
private Function<SystemScope, String> systemScopeToString = new Function<SystemScope, String>() {
private final Function<SystemScope, String> systemScopeToString = new Function<SystemScope, String>() {
@Override
public String apply(SystemScope input) {
if (input == null) {

7
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/ServiceUtils.java
View File

@ -2,14 +2,13 @@ package cz.muni.ics.oauth2.service.impl;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import java.math.BigInteger;
import java.security.SecureRandom;
import java.util.Collection;
import java.util.HashSet;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
public class ServiceUtils {

6
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/UriEncodedClientUserDetailsService.java
View File

@ -15,11 +15,11 @@
*******************************************************************************/
package cz.muni.ics.oauth2.service.impl;
import com.google.common.base.Strings;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean;
import java.io.UnsupportedEncodingException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
@ -30,8 +30,6 @@ import org.springframework.security.oauth2.common.exceptions.InvalidClientExcept
import org.springframework.stereotype.Service;
import org.springframework.web.util.UriUtils;
import com.google.common.base.Strings;
/**
* Loads client details based on URI encoding as passed in from basic auth.
*
@ -42,7 +40,7 @@ import com.google.common.base.Strings;
@Service("uriEncodedClientUserDetailsService")
public class UriEncodedClientUserDetailsService implements UserDetailsService {
private static GrantedAuthority ROLE_CLIENT = new SimpleGrantedAuthority("ROLE_CLIENT");
private static final GrantedAuthority ROLE_CLIENT = new SimpleGrantedAuthority("ROLE_CLIENT");
private ClientDetailsEntityService clientDetailsService;
private final ConfigurationPropertiesBean config;

8
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/ChainedTokenGranter.java
View File

@ -20,12 +20,12 @@
*/
package cz.muni.ics.oauth2.token;
import com.google.common.collect.Sets;
import cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity;
import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
import cz.muni.ics.oauth2.service.OAuth2TokenEntityService;
import java.util.HashSet;
import java.util.Set;
import cz.muni.ics.oauth2.service.OAuth2TokenEntityService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
@ -37,8 +37,6 @@ import org.springframework.security.oauth2.provider.TokenRequest;
import org.springframework.security.oauth2.provider.token.AbstractTokenGranter;
import org.springframework.stereotype.Component;
import com.google.common.collect.Sets;
/**
* @author jricher
*
@ -49,7 +47,7 @@ public class ChainedTokenGranter extends AbstractTokenGranter {
public static final String GRANT_TYPE = "urn:ietf:params:oauth:grant_type:redelegate";
// keep down-cast versions so we can get to the right queries
private OAuth2TokenEntityService tokenServices;
private final OAuth2TokenEntityService tokenServices;
/**
* @param tokenServices

3
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/DeviceTokenGranter.java
View File

@ -16,13 +16,12 @@
package cz.muni.ics.oauth2.token;
import java.util.Date;
import cz.muni.ics.oauth2.exception.AuthorizationPendingException;
import cz.muni.ics.oauth2.exception.DeviceCodeExpiredException;
import cz.muni.ics.oauth2.model.DeviceCode;
import cz.muni.ics.oauth2.service.DeviceCodeService;
import cz.muni.ics.oauth2.web.DeviceEndpoint;
import java.util.Date;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
import org.springframework.security.oauth2.provider.ClientDetails;

16
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/JWTAssertionTokenGranter.java
View File

@ -20,13 +20,15 @@
*/
package cz.muni.ics.oauth2.token;
import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
import java.text.ParseException;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
import cz.muni.ics.jwt.assertion.AssertionValidator;
import cz.muni.ics.oauth2.assertion.AssertionOAuth2RequestFactory;
import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
import cz.muni.ics.oauth2.service.OAuth2TokenEntityService;
import cz.muni.ics.openid.connect.assertion.JWTBearerAssertionAuthenticationToken;
import java.text.ParseException;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.core.AuthenticationException;
@ -38,14 +40,12 @@ import org.springframework.security.oauth2.provider.TokenRequest;
import org.springframework.security.oauth2.provider.token.AbstractTokenGranter;
import org.springframework.stereotype.Component;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
/**
* @author jricher
*
*/
@Component("jwtAssertionTokenGranter")
@Slf4j
public class JWTAssertionTokenGranter extends AbstractTokenGranter {
private static final String grantType = "urn:ietf:params:oauth:grant-type:jwt-bearer";
@ -80,12 +80,12 @@ public class JWTAssertionTokenGranter extends AbstractTokenGranter {
new JWTBearerAssertionAuthenticationToken(assertion, client.getAuthorities()));
} else {
logger.warn("Incoming assertion did not pass validator, rejecting");
log.warn("Incoming assertion did not pass validator, rejecting");
return null;
}
} catch (ParseException e) {
logger.warn("Unable to parse incoming assertion");
log.warn("Unable to parse incoming assertion");
}
// if we had made a token, we'd have returned it by now, so return null here to close out with no created token

3
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/ScopeServiceAwareOAuth2RequestValidator.java
View File

@ -20,9 +20,8 @@
*/
package cz.muni.ics.oauth2.token;
import java.util.Set;
import cz.muni.ics.oauth2.service.SystemScopeService;
import java.util.Set;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
import org.springframework.security.oauth2.provider.AuthorizationRequest;

51
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/view/TokenApiView.java
View File

@ -15,26 +15,6 @@
*******************************************************************************/
package cz.muni.ics.oauth2.view;
import cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity;
import cz.muni.ics.oauth2.model.OAuth2RefreshTokenEntity;
import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonEntityView;
import java.io.IOException;
import java.io.Writer;
import java.lang.reflect.Type;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.stereotype.Component;
import org.springframework.validation.BeanPropertyBindingResult;
import org.springframework.web.servlet.view.AbstractView;
import com.google.gson.ExclusionStrategy;
import com.google.gson.FieldAttributes;
import com.google.gson.Gson;
@ -43,18 +23,30 @@ import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
import com.google.gson.JsonSerializationContext;
import com.google.gson.JsonSerializer;
import cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity;
import cz.muni.ics.oauth2.model.OAuth2RefreshTokenEntity;
import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonEntityView;
import java.io.IOException;
import java.io.Writer;
import java.lang.reflect.Type;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.stereotype.Component;
import org.springframework.validation.BeanPropertyBindingResult;
import org.springframework.web.servlet.view.AbstractView;
@Component(TokenApiView.VIEWNAME)
@Slf4j
public class TokenApiView extends AbstractView {
public static final String VIEWNAME = "tokenApiView";
/**
* Logger for this class
*/
private static final Logger logger = LoggerFactory.getLogger(TokenApiView.class);
private Gson gson = new GsonBuilder()
private final Gson gson = new GsonBuilder()
.setExclusionStrategies(new ExclusionStrategy() {
@Override
@ -65,10 +57,7 @@ public class TokenApiView extends AbstractView {
@Override
public boolean shouldSkipClass(Class<?> clazz) {
// skip the JPA binding wrapper
if (clazz.equals(BeanPropertyBindingResult.class)) {
return true;
}
return false;
return clazz.equals(BeanPropertyBindingResult.class);
}
})
@ -142,7 +131,7 @@ public class TokenApiView extends AbstractView {
} catch (IOException e) {
logger.error("IOException in JsonEntityView.java: ", e);
log.error("IOException in JsonEntityView.java: ", e);
}
}

3
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/AuthenticationUtilities.java
View File

@ -16,13 +16,12 @@
package cz.muni.ics.oauth2.web;
import com.google.common.collect.ImmutableSet;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.oauth2.common.exceptions.InsufficientScopeException;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import com.google.common.collect.ImmutableSet;
/**
*
* Utility class to enforce OAuth scopes in authenticated requests.

2
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/CorsFilter.java
View File

@ -21,12 +21,10 @@
package cz.muni.ics.oauth2.web;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;

23
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/DeviceEndpoint.java
View File

@ -16,11 +16,14 @@
package cz.muni.ics.oauth2.web;
import com.google.common.collect.Sets;
import cz.muni.ics.oauth2.exception.DeviceCodeCreationException;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oauth2.model.DeviceCode;
import cz.muni.ics.oauth2.model.SystemScope;
import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
import cz.muni.ics.oauth2.service.DeviceCodeService;
import cz.muni.ics.oauth2.service.SystemScopeService;
import cz.muni.ics.oauth2.token.DeviceTokenGranter;
import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean;
import cz.muni.ics.openid.connect.view.HttpCodeView;
@ -34,14 +37,9 @@ import java.util.HashMap;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpSession;
import lombok.extern.slf4j.Slf4j;
import org.apache.http.client.utils.URIBuilder;
import cz.muni.ics.oauth2.service.DeviceCodeService;
import cz.muni.ics.oauth2.service.SystemScopeService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
@ -59,8 +57,6 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import com.google.common.collect.Sets;
/**
* Implements https://tools.ietf.org/html/draft-ietf-oauth-device-flow
*
@ -70,13 +66,12 @@ import com.google.common.collect.Sets;
*
*/
@Controller
@Slf4j
public class DeviceEndpoint {
public static final String URL = "devicecode";
public static final String USER_URL = "device";
public static final Logger logger = LoggerFactory.getLogger(DeviceEndpoint.class);
@Autowired
private ClientDetailsEntityService clientService;
@ -108,13 +103,13 @@ public class DeviceEndpoint {
}
} catch (IllegalArgumentException e) {
logger.error("IllegalArgumentException was thrown when attempting to load client", e);
log.error("IllegalArgumentException was thrown when attempting to load client", e);
model.put(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
return HttpCodeView.VIEWNAME;
}
if (client == null) {
logger.error("could not find client " + clientId);
log.error("could not find client " + clientId);
model.put(HttpCodeView.CODE, HttpStatus.NOT_FOUND);
return HttpCodeView.VIEWNAME;
}
@ -125,7 +120,7 @@ public class DeviceEndpoint {
if (!scopeService.scopesMatch(allowedScopes, requestedScopes)) {
// client asked for scopes it can't have
logger.error("Client asked for " + requestedScopes + " but is allowed " + allowedScopes);
log.error("Client asked for " + requestedScopes + " but is allowed " + allowedScopes);
model.put(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
model.put(JsonErrorView.ERROR, "invalid_scope");
return JsonErrorView.VIEWNAME;
@ -164,7 +159,7 @@ public class DeviceEndpoint {
return JsonErrorView.VIEWNAME;
} catch (URISyntaxException use) {
logger.error("unable to build verification_uri_complete due to wrong syntax of uri components");
log.error("unable to build verification_uri_complete due to wrong syntax of uri components");
model.put(HttpCodeView.CODE, HttpStatus.INTERNAL_SERVER_ERROR);
return HttpCodeView.VIEWNAME;

31
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/IntrospectionEndpoint.java
View File

@ -17,10 +17,15 @@
*******************************************************************************/
package cz.muni.ics.oauth2.web;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableMap;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity;
import cz.muni.ics.oauth2.model.OAuth2RefreshTokenEntity;
import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
import cz.muni.ics.oauth2.service.IntrospectionResultAssembler;
import cz.muni.ics.oauth2.service.OAuth2TokenEntityService;
import cz.muni.ics.oauth2.service.SystemScopeService;
import cz.muni.ics.openid.connect.model.UserInfo;
import cz.muni.ics.openid.connect.service.UserInfoService;
import cz.muni.ics.openid.connect.view.HttpCodeView;
@ -31,12 +36,7 @@ import java.util.Collection;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import cz.muni.ics.oauth2.service.IntrospectionResultAssembler;
import cz.muni.ics.oauth2.service.OAuth2TokenEntityService;
import cz.muni.ics.oauth2.service.SystemScopeService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.Authentication;
@ -47,10 +47,8 @@ import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableMap;
@Controller
@Slf4j
public class IntrospectionEndpoint {
/**
@ -73,11 +71,6 @@ public class IntrospectionEndpoint {
@Autowired
private ResourceSetService resourceSetService;
/**
* Logger for this class
*/
private static final Logger logger = LoggerFactory.getLogger(IntrospectionEndpoint.class);
public IntrospectionEndpoint() {
}
@ -131,7 +124,7 @@ public class IntrospectionEndpoint {
// this client isn't allowed to do direct introspection
logger.error("Client " + authClient.getClientId() + " is not allowed to call introspection endpoint");
log.error("Client " + authClient.getClientId() + " is not allowed to call introspection endpoint");
model.addAttribute("code", HttpStatus.FORBIDDEN);
return HttpCodeView.VIEWNAME;
@ -143,7 +136,7 @@ public class IntrospectionEndpoint {
// first make sure the token is there
if (Strings.isNullOrEmpty(tokenValue)) {
logger.error("Verify failed; token value is null");
log.error("Verify failed; token value is null");
Map<String,Boolean> entity = ImmutableMap.of("active", Boolean.FALSE);
model.addAttribute(JsonEntityView.ENTITY, entity);
return JsonEntityView.VIEWNAME;
@ -166,7 +159,7 @@ public class IntrospectionEndpoint {
user = userInfoService.getByUsernameAndClientId(userName, tokenClient.getClientId());
} catch (InvalidTokenException e) {
logger.info("Invalid access token. Checking refresh token.");
log.info("Invalid access token. Checking refresh token.");
try {
// check refresh tokens next
@ -179,7 +172,7 @@ public class IntrospectionEndpoint {
user = userInfoService.getByUsernameAndClientId(userName, tokenClient.getClientId());
} catch (InvalidTokenException e2) {
logger.error("Invalid refresh token");
log.error("Invalid refresh token");
Map<String,Boolean> entity = ImmutableMap.of(IntrospectionResultAssembler.ACTIVE, Boolean.FALSE);
model.addAttribute(JsonEntityView.ENTITY, entity);
return JsonEntityView.VIEWNAME;
@ -196,7 +189,7 @@ public class IntrospectionEndpoint {
model.addAttribute(JsonEntityView.ENTITY, entity);
} else {
// no tokens were found (we shouldn't get here)
logger.error("Verify failed; Invalid access/refresh token");
log.error("Verify failed; Invalid access/refresh token");
Map<String,Boolean> entity = ImmutableMap.of(IntrospectionResultAssembler.ACTIVE, Boolean.FALSE);
model.addAttribute(JsonEntityView.ENTITY, entity);
return JsonEntityView.VIEWNAME;

7
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/OAuth2ExceptionHandler.java
View File

@ -16,8 +16,7 @@
package cz.muni.ics.oauth2.web;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.ResponseEntity;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
@ -32,15 +31,15 @@ import org.springframework.web.bind.annotation.ExceptionHandler;
*
*/
@ControllerAdvice
@Slf4j
public class OAuth2ExceptionHandler {
private static final Logger logger = LoggerFactory.getLogger(OAuth2ExceptionHandler.class);
@Autowired
private WebResponseExceptionTranslator providerExceptionHandler;
@ExceptionHandler(OAuth2Exception.class)
public ResponseEntity<OAuth2Exception> handleException(Exception e) throws Exception {
logger.info("Handling error: " + e.getClass().getSimpleName() + ", " + e.getMessage());
log.info("Handling error: " + e.getClass().getSimpleName() + ", " + e.getMessage());
return providerExceptionHandler.translate(e);
}

35
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/OAuthConfirmationController.java
View File

@ -34,9 +34,15 @@ import cz.muni.ics.openid.connect.request.ConnectRequestParameters;
import cz.muni.ics.openid.connect.service.ScopeClaimTranslationService;
import cz.muni.ics.openid.connect.service.UserInfoService;
import cz.muni.ics.openid.connect.view.HttpCodeView;
import java.net.URISyntaxException;
import java.security.Principal;
import java.util.HashMap;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import lombok.extern.slf4j.Slf4j;
import org.apache.http.client.utils.URIBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.prepost.PreAuthorize;
@ -47,23 +53,15 @@ import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.SessionAttributes;
import java.net.URISyntaxException;
import java.security.Principal;
import java.util.HashMap;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
/**
* @author jricher
*
*/
@Controller
@SessionAttributes("authorizationRequest")
@Slf4j
public class OAuthConfirmationController {
@Autowired
private ClientDetailsEntityService clientService;
@ -79,11 +77,6 @@ public class OAuthConfirmationController {
@Autowired
private RedirectResolver redirectResolver;
/**
* Logger for this class
*/
private static final Logger logger = LoggerFactory.getLogger(OAuthConfirmationController.class);
public OAuthConfirmationController() {
}
@ -106,17 +99,17 @@ public class OAuthConfirmationController {
try {
client = clientService.loadClientByClientId(authRequest.getClientId());
} catch (OAuth2Exception e) {
logger.error("confirmAccess: OAuth2Exception was thrown when attempting to load client", e);
log.error("confirmAccess: OAuth2Exception was thrown when attempting to load client", e);
model.put(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
return HttpCodeView.VIEWNAME;
} catch (IllegalArgumentException e) {
logger.error("confirmAccess: IllegalArgumentException was thrown when attempting to load client", e);
log.error("confirmAccess: IllegalArgumentException was thrown when attempting to load client", e);
model.put(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
return HttpCodeView.VIEWNAME;
}
if (client == null) {
logger.error("confirmAccess: could not find client " + authRequest.getClientId());
log.error("confirmAccess: could not find client " + authRequest.getClientId());
model.put(HttpCodeView.CODE, HttpStatus.NOT_FOUND);
return HttpCodeView.VIEWNAME;
}
@ -134,10 +127,10 @@ public class OAuthConfirmationController {
uriBuilder.addParameter("state", authRequest.getState()); // copy the state parameter if one was given
}
return "redirect:" + uriBuilder.toString();
return "redirect:" + uriBuilder;
} catch (URISyntaxException e) {
logger.error("Can't build redirect URI for prompt=none, sending error instead", e);
log.error("Can't build redirect URI for prompt=none, sending error instead", e);
model.put("code", HttpStatus.FORBIDDEN);
return HttpCodeView.VIEWNAME;
}

Some files were not shown because too many files have changed in this diff Show More