From ae9b5e792a88b11fd0098aa6ebc9b223348e1148 Mon Sep 17 00:00:00 2001
From: Amanda Anganes <aanganes@mitre.org>
Date: Thu, 22 Mar 2012 13:43:30 -0400
Subject: [PATCH] Added a ConfigurationPropertiesBean.java to hold
 configuration properties. Fixed up CheckIDEndpoint.java a bit - it works, but
 is outputting the wrong thing.

---
 openid-connect-common/.classpath              |  9 +--
 .../mitre/jwt/signer/AbstractJwtSigner.java   | 10 +++-
 .../java/org/mitre/jwt/signer/JwtSigner.java  |  2 +-
 .../JwtSigningAndValidationService.java       | 24 ++++++++
 ...JwtSigningAndValidationServiceDefault.java | 33 +++++++++-
 .../config/ConfigurationPropertiesBean.java   | 45 ++++++++++++++
 .../token/ConnectAuthCodeTokenGranter.java    | 60 +++++++++++++------
 .../openid/connect/web/CheckIDEndpoint.java   | 22 ++++++-
 .../spring/appServlet/servlet-context.xml     |  9 +--
 .../WEB-INF/spring/application-context.xml    | 10 ++++
 10 files changed, 186 insertions(+), 38 deletions(-)
 create mode 100644 openid-connect-server/src/main/java/org/mitre/openid/connect/config/ConfigurationPropertiesBean.java

diff --git a/openid-connect-common/.classpath b/openid-connect-common/.classpath
index 74d8d97f5..1b28ee5d7 100644
--- a/openid-connect-common/.classpath
+++ b/openid-connect-common/.classpath
@@ -1,18 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <classpath>
 	<classpathentry kind="src" output="target/classes" path="src/main/java"/>
-	<classpathentry excluding="**" kind="src" output="target/classes" path="src/main/resources"/>
-	<classpathentry kind="src" output="target/test-classes" path="src/test/java"/>
-	<classpathentry excluding="**" kind="src" output="target/test-classes" path="src/test/resources"/>
+	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/JavaSE-1.6"/>
 	<classpathentry kind="con" path="org.eclipse.m2e.MAVEN2_CLASSPATH_CONTAINER">
 		<attributes>
 			<attribute name="org.eclipse.jst.component.nondependency" value=""/>
 		</attributes>
 	</classpathentry>
-	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/JavaSE-1.6">
-		<attributes>
-			<attribute name="owner.project.facets" value="java"/>
-		</attributes>
-	</classpathentry>
 	<classpathentry kind="output" path="target/classes"/>
 </classpath>
diff --git a/openid-connect-server/src/main/java/org/mitre/jwt/signer/AbstractJwtSigner.java b/openid-connect-server/src/main/java/org/mitre/jwt/signer/AbstractJwtSigner.java
index 963622f87..7c69ced7f 100644
--- a/openid-connect-server/src/main/java/org/mitre/jwt/signer/AbstractJwtSigner.java
+++ b/openid-connect-server/src/main/java/org/mitre/jwt/signer/AbstractJwtSigner.java
@@ -33,9 +33,13 @@ public abstract class AbstractJwtSigner implements JwtSigner {
 
     /**
      * Ensures that the 'alg' of the given JWT matches the {@link #algorithm} of this signer
+     * and signs the jwt.
+     * 
+     * @param jwt the jwt to sign
+     * @return the signed jwt
      */
 	@Override
-	public void sign(Jwt jwt) {
+	public Jwt sign(Jwt jwt) {
 		if (!Objects.equal(algorithm, jwt.getHeader().getAlgorithm())) {
 			// algorithm type doesn't match
 			// TODO: should this be an error or should we just fix it in the incoming jwt?
@@ -45,7 +49,9 @@ public abstract class AbstractJwtSigner implements JwtSigner {
 	    
 	    String sig = generateSignature(jwt.getSignatureBase());
         
-        jwt.setSignature(sig);		
+        jwt.setSignature(sig);	
+        
+        return jwt;
 	}
 
 	/* (non-Javadoc)
diff --git a/openid-connect-server/src/main/java/org/mitre/jwt/signer/JwtSigner.java b/openid-connect-server/src/main/java/org/mitre/jwt/signer/JwtSigner.java
index 53307d3db..1ab37ef6b 100644
--- a/openid-connect-server/src/main/java/org/mitre/jwt/signer/JwtSigner.java
+++ b/openid-connect-server/src/main/java/org/mitre/jwt/signer/JwtSigner.java
@@ -4,7 +4,7 @@ import org.mitre.jwt.model.Jwt;
 
 public interface JwtSigner {
 
-	public void sign(Jwt jwt);
+	public Jwt sign(Jwt jwt);
 	
 	public boolean verify(String jwtString);
 	
diff --git a/openid-connect-server/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java b/openid-connect-server/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java
index cb0bb8f1e..624327f41 100644
--- a/openid-connect-server/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java
+++ b/openid-connect-server/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java
@@ -45,4 +45,28 @@ public interface JwtSigningAndValidationService {
 	 * @return true if the signature is valid, false if not
 	 */
 	public boolean validateSignature(String jwtString);
+	
+	/**
+	 * Called to sign a jwt for a client that hasn't registered a preferred signing algorithm.
+	 * Use the default algorithm to sign.
+	 * 
+	 * @param jwt the jwt to sign
+	 * @return the signed jwt
+	 */
+	public Jwt signJwt(Jwt jwt);
+	
+	/**
+	 * Sign a jwt using the selected algorithm. The algorithm is selected using the String parameter values specified
+	 * in the JWT spec, section 6. I.E., "HS256" means HMAC with SHA-256 and corresponds to our HmacSigner class.
+	 * 
+	 * @param jwt the jwt to sign
+	 * @param alg the name of the algorithm to use, as specified in JWS s.6
+	 * @return the signed jwt
+	 */
+	//TODO: implement later; only need signJwt(Jwt jwt) for now
+	//public Jwt signJwt(Jwt jwt, String alg);
+	
+	/**
+	 * TODO: method to sign a jwt using a specified algorithm and a key id
+	 */
 }
diff --git a/openid-connect-server/src/main/java/org/mitre/jwt/signer/service/impl/JwtSigningAndValidationServiceDefault.java b/openid-connect-server/src/main/java/org/mitre/jwt/signer/service/impl/JwtSigningAndValidationServiceDefault.java
index 4168a8f00..782b247d5 100644
--- a/openid-connect-server/src/main/java/org/mitre/jwt/signer/service/impl/JwtSigningAndValidationServiceDefault.java
+++ b/openid-connect-server/src/main/java/org/mitre/jwt/signer/service/impl/JwtSigningAndValidationServiceDefault.java
@@ -15,11 +15,15 @@ import org.mitre.jwt.signer.JwtSigner;
 import org.mitre.jwt.signer.impl.EcdsaSigner;
 import org.mitre.jwt.signer.impl.RsaSigner;
 import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
+import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
 import org.springframework.beans.factory.InitializingBean;
+import org.springframework.beans.factory.annotation.Autowired;
 
 public class JwtSigningAndValidationServiceDefault implements
 		JwtSigningAndValidationService, InitializingBean {
 
+	@Autowired
+	private ConfigurationPropertiesBean configBean;
 	
 	private List<? extends JwtSigner> signers = new ArrayList<JwtSigner>();
 
@@ -153,7 +157,9 @@ public class JwtSigningAndValidationServiceDefault implements
 	@Override
 	public boolean validateIssuedJwt(Jwt jwt, String expectedIssuer) {
 
-		if (jwt.getClaims().getIssuer() == expectedIssuer)
+		String iss = jwt.getClaims().getIssuer();
+		
+		if (iss.equals(expectedIssuer))
 			return true;
 		
 		return false;
@@ -176,4 +182,29 @@ public class JwtSigningAndValidationServiceDefault implements
 
 		return false;
 	}
+
+	@Override
+	public Jwt signJwt(Jwt jwt) {
+		String signerId = configBean.getDefaultJwtSigner();
+		
+		//JwtSigner signer = map.get(signerId);
+		
+		//signer.sign(jwt);
+		
+		return null;
+	}
+
+	/**
+	 * @return the configBean
+	 */
+	public ConfigurationPropertiesBean getConfigBean() {
+		return configBean;
+	}
+
+	/**
+	 * @param configBean the configBean to set
+	 */
+	public void setConfigBean(ConfigurationPropertiesBean configBean) {
+		this.configBean = configBean;
+	}
 }
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/config/ConfigurationPropertiesBean.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/config/ConfigurationPropertiesBean.java
new file mode 100644
index 000000000..2fb276e4a
--- /dev/null
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/config/ConfigurationPropertiesBean.java
@@ -0,0 +1,45 @@
+package org.mitre.openid.connect.config;
+
+
+/**
+ * Bean to hold configuration information that must be injected into various parts
+ * of our application. Set all of the properties here, and autowire a reference
+ * to this bean if you need access to any configuration properties. 
+ * 
+ * @author AANGANES
+ *
+ */
+public class ConfigurationPropertiesBean {
+
+	private String issuer;
+	
+	private String defaultJwtSigner;
+
+	public ConfigurationPropertiesBean() {
+	}
+	
+	/**
+	 * @return the defaultJwtSigner
+	 */
+	public String getDefaultJwtSigner() {
+		return defaultJwtSigner;
+	}
+	
+	public void setDefaultJwtSigner(String signer) {
+		defaultJwtSigner = signer;
+	}
+
+	/**
+	 * @return the baseUrl
+	 */
+	public String getIssuer() {
+		return issuer;
+	}
+	
+	/**
+	 * @param iss the issuer to set
+	 */
+	public void setIssuer(String iss) {
+		issuer = iss;
+	}
+}
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectAuthCodeTokenGranter.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectAuthCodeTokenGranter.java
index 15adc4f4c..fe4b11073 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectAuthCodeTokenGranter.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectAuthCodeTokenGranter.java
@@ -7,9 +7,11 @@ import java.util.Date;
 import java.util.Map;
 import java.util.Set;
 
+import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
 import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
 import org.mitre.oauth2.service.OAuth2TokenEntityService;
 import org.mitre.oauth2.service.impl.DefaultOAuth2ProviderTokenService;
+import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
 import org.mitre.openid.connect.model.IdToken;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.Authentication;
@@ -48,7 +50,8 @@ public class ConnectAuthCodeTokenGranter implements TokenGranter {
 	@Autowired
 	private ClientCredentialsChecker clientCredentialsChecker;
 
-	private String issuer;
+	@Autowired
+	private ConfigurationPropertiesBean configBean;
 
 	//TODO: Do we need to modify/update this?	
 	@Autowired
@@ -57,6 +60,9 @@ public class ConnectAuthCodeTokenGranter implements TokenGranter {
 	@Autowired
 	private IdTokenGeneratorService idTokenService;
 	
+	@Autowired
+	private JwtSigningAndValidationService jwtService;
+	
 	/**
 	 * Default empty constructor
 	 */
@@ -141,7 +147,7 @@ public class ConnectAuthCodeTokenGranter implements TokenGranter {
 
 		//TODO: need to get base url, but Utility.findBaseUrl() needs access to a request object, which we don't have
 		//See github issue #1
-		token.getJwt().getClaims().setIssuer(issuer);
+		token.getJwt().getClaims().setIssuer(configBean.getIssuer());
 
 		token.getJwt().getClaims().setIssuedAt(new Date());
 		// handle expiration
@@ -155,17 +161,23 @@ public class ConnectAuthCodeTokenGranter implements TokenGranter {
 		if (authorizationRequest.getScope().contains("openid")) {
 
 			String userId = userAuth.getName();
-			
-			//TODO: need to get base url, but Utility.findBaseUrl() needs access to a request object, which we don't have
-			//See github issue #1
-			IdToken idToken = idTokenService.generateIdToken(userId, issuer);
+		
+			IdToken idToken = idTokenService.generateIdToken(userId, configBean.getIssuer());
 			idToken.getClaims().setAudience(clientId);
 			idToken.getClaims().setIssuedAt(new Date());
+			idToken.getClaims().setIssuer(configBean.getIssuer());
 			// TODO: expiration? other fields?
 			
+			//Sign
+			
+			//TODO: check client to see if they have a preferred alg, attempt to use that
+			
+			//TODO: uncomment line below once RsaSigner bean has been set up and added to the configBean
+			//idToken = (IdToken) jwtService.signJwt(idToken);
+			
 			token.setIdToken(idToken);
 		}
-
+		
 		tokenServices.saveAccessToken(token);
 		
 		return token;
@@ -207,18 +219,28 @@ public class ConnectAuthCodeTokenGranter implements TokenGranter {
 		this.tokenServices = tokenServices;
 	}
 
-	/**
-     * @return the issuer
-     */
-    public String getIssuer() {
-    	return issuer;
-    }
+	public ConfigurationPropertiesBean getConfigBean() {
+		return configBean;
+	}
 
-	/**
-     * @param issuer the issuer to set
-     */
-    public void setIssuer(String issuer) {
-    	this.issuer = issuer;
-    }
+	public void setConfigBean(ConfigurationPropertiesBean configBean) {
+		this.configBean = configBean;
+	}
+
+	public IdTokenGeneratorService getIdTokenService() {
+		return idTokenService;
+	}
+
+	public void setIdTokenService(IdTokenGeneratorService idTokenService) {
+		this.idTokenService = idTokenService;
+	}
+
+	public JwtSigningAndValidationService getJwtService() {
+		return jwtService;
+	}
+
+	public void setJwtService(JwtSigningAndValidationService jwtService) {
+		this.jwtService = jwtService;
+	}
 	
 }
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/CheckIDEndpoint.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/CheckIDEndpoint.java
index 15859f91f..6ba3f4600 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/CheckIDEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/CheckIDEndpoint.java
@@ -3,6 +3,7 @@ package org.mitre.openid.connect.web;
 import javax.servlet.http.HttpServletRequest;
 
 import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
+import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
 import org.mitre.openid.connect.exception.ExpiredTokenException;
 import org.mitre.openid.connect.exception.InvalidJwtIssuerException;
 import org.mitre.openid.connect.exception.InvalidJwtSignatureException;
@@ -20,6 +21,9 @@ public class CheckIDEndpoint {
 	@Autowired
 	JwtSigningAndValidationService jwtSignerService;
 	
+	@Autowired
+	private ConfigurationPropertiesBean configBean;
+	
 	@RequestMapping("/checkid")
 	public ModelAndView checkID(@RequestParam("id_token") String tokenString, ModelAndView mav, HttpServletRequest request) {
 		
@@ -38,11 +42,27 @@ public class CheckIDEndpoint {
 		}
 		
 		// check the issuer (sanity check)
-		if (!jwtSignerService.validateIssuedJwt(token,  Utility.findBaseUrl(request))) {
+		if (!jwtSignerService.validateIssuedJwt(token, configBean.getIssuer())) {
 			throw new InvalidJwtIssuerException(); // TODO: create a view for this exception
 		}
 		
 		return new ModelAndView("jsonIdTokenView", "checkId", token); // TODO: create a view for this
 	}
+
+	public JwtSigningAndValidationService getJwtSignerService() {
+		return jwtSignerService;
+	}
+
+	public void setJwtSignerService(JwtSigningAndValidationService jwtSignerService) {
+		this.jwtSignerService = jwtSignerService;
+	}
+
+	public ConfigurationPropertiesBean getConfigBean() {
+		return configBean;
+	}
+
+	public void setConfigBean(ConfigurationPropertiesBean configBean) {
+		this.configBean = configBean;
+	}
 	
 }
diff --git a/openid-connect-server/src/main/webapp/WEB-INF/spring/appServlet/servlet-context.xml b/openid-connect-server/src/main/webapp/WEB-INF/spring/appServlet/servlet-context.xml
index 9082ee533..663d2fef9 100644
--- a/openid-connect-server/src/main/webapp/WEB-INF/spring/appServlet/servlet-context.xml
+++ b/openid-connect-server/src/main/webapp/WEB-INF/spring/appServlet/servlet-context.xml
@@ -41,8 +41,8 @@
 	<beans:bean id="jsonSwdResponseView" class="org.mitre.swd.view.SwdResponse" />
 	<beans:bean id="jwkKeyList" class="org.mitre.openid.connect.view.JwkKeyListView" />
 	
-<!-- 	<beans:bean id="jsonUserInfoView" class="org.mitre.openid.connect.view.JSONUserInfoView"/> -->
-<!-- 	<beans:bean id="jsonIdTokenView" class="org.mitre.openid.connect.view.JSONIdTokenView"/> -->
+ 	<beans:bean id="jsonUserInfoView" class="org.mitre.openid.connect.view.JSONUserInfoView"/>
+ 	<beans:bean id="jsonIdTokenView" class="org.mitre.openid.connect.view.JSONIdTokenView"/> 
 	
 	<beans:import resource="controllers.xml" />
 
@@ -53,8 +53,5 @@
 		<oauth:authorization-code authorization-code-services-ref="authCodeServices"/>
 	</oauth:authorization-server>
 	
-	<beans:bean id="connectAuthCodeTokenGranter" class="org.mitre.openid.connect.token.ConnectAuthCodeTokenGranter">
-		<beans:property name="issuer" value="http://localhost/" />
-	</beans:bean>
-	
+
 </beans:beans>
diff --git a/openid-connect-server/src/main/webapp/WEB-INF/spring/application-context.xml b/openid-connect-server/src/main/webapp/WEB-INF/spring/application-context.xml
index 95e027b4a..3cdc1a74e 100644
--- a/openid-connect-server/src/main/webapp/WEB-INF/spring/application-context.xml
+++ b/openid-connect-server/src/main/webapp/WEB-INF/spring/application-context.xml
@@ -80,6 +80,16 @@
 		<property name="databasePlatform" value="org.eclipse.persistence.platform.database.MySQLPlatform" />
 		<property name="showSql" value="true" />
 	</bean>
+	
+	
+<!-- TODO: get signer set up -->
+<!-- 	<bean id="rsaSigner1" class="org.mitre.jwt.signer.impl.RsaSigner"/>  -->
+
+	<bean id="configBean" class="org.mitre.openid.connect.config.ConfigurationPropertiesBean">
+		<property name="issuer" value="http://localhost/" />
+		<!-- TODO: plug in default signer -->
+<!-- 		<property name="defaultJwtSigner"  value="rsaSigner1"/> -->
+	</bean>
 
 	<!-- Map our custom exception classes to named views -->
 	<bean class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver">