From d1033b693fd36b0e94b6eeb04f1758cd64773aa0 Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Mon, 21 Dec 2015 15:51:39 -0500
Subject: [PATCH] added privacy-preserving client logo cache

---
 .../openid/connect/model/CachedImage.java     |  67 ++++++++++
 .../service/ClientLogoLoadingService.java     |  35 ++++++
 .../src/main/webapp/WEB-INF/views/approve.jsp |   4 +-
 .../webapp/resources/template/client.html     |   2 +-
 .../InMemoryClientLogoLoadingService.java     | 115 ++++++++++++++++++
 .../mitre/openid/connect/web/ClientAPI.java   |  32 +++++
 6 files changed, 252 insertions(+), 3 deletions(-)
 create mode 100644 openid-connect-common/src/main/java/org/mitre/openid/connect/model/CachedImage.java
 create mode 100644 openid-connect-common/src/main/java/org/mitre/openid/connect/service/ClientLogoLoadingService.java
 create mode 100644 openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/InMemoryClientLogoLoadingService.java

diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/model/CachedImage.java b/openid-connect-common/src/main/java/org/mitre/openid/connect/model/CachedImage.java
new file mode 100644
index 000000000..af458c06e
--- /dev/null
+++ b/openid-connect-common/src/main/java/org/mitre/openid/connect/model/CachedImage.java
@@ -0,0 +1,67 @@
+/*******************************************************************************
+ * Copyright 2015 The MITRE Corporation
+ *   and the MIT Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package org.mitre.openid.connect.model;
+
+/**
+ * @author jricher
+ *
+ */
+public class CachedImage {
+	
+	private byte[] data;
+	private String contentType;
+	private long length;
+	
+	/**
+	 * @return the data
+	 */
+	public byte[] getData() {
+		return data;
+	}
+	/**
+	 * @param data the data to set
+	 */
+	public void setData(byte[] data) {
+		this.data = data;
+	}
+	/**
+	 * @return the contentType
+	 */
+	public String getContentType() {
+		return contentType;
+	}
+	/**
+	 * @param contentType the contentType to set
+	 */
+	public void setContentType(String contentType) {
+		this.contentType = contentType;
+	}
+	/**
+	 * @return the length
+	 */
+	public long getLength() {
+		return length;
+	}
+	/**
+	 * @param length the length to set
+	 */
+	public void setLength(long length) {
+		this.length = length;
+	}
+
+}
diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/service/ClientLogoLoadingService.java b/openid-connect-common/src/main/java/org/mitre/openid/connect/service/ClientLogoLoadingService.java
new file mode 100644
index 000000000..290b89343
--- /dev/null
+++ b/openid-connect-common/src/main/java/org/mitre/openid/connect/service/ClientLogoLoadingService.java
@@ -0,0 +1,35 @@
+/*******************************************************************************
+ * Copyright 2015 The MITRE Corporation
+ *   and the MIT Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package org.mitre.openid.connect.service;
+
+import org.mitre.oauth2.model.ClientDetailsEntity;
+import org.mitre.openid.connect.model.CachedImage;
+
+/**
+ * @author jricher
+ *
+ */
+public interface ClientLogoLoadingService {
+
+	/**
+	 * @param client
+	 * @return
+	 */
+	public CachedImage getLogo(ClientDetailsEntity client);
+
+}
diff --git a/openid-connect-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp b/openid-connect-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp
index a42826a96..9484321e1 100644
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp
@@ -84,7 +84,7 @@
 					<c:if test="${ not empty client.logoUri }">
 						<ul class="thumbnails">
 							<li class="span5">
-								<a class="thumbnail" data-toggle="modal" data-target="#logoModal"><img src="${ fn:escapeXml(client.logoUri) }" /></a>
+								<a class="thumbnail" data-toggle="modal" data-target="#logoModal"><img src="api/clients/${ client.id }/logo" /></a>
 							</li>
 						</ul>
 						<!-- Modal -->
@@ -103,7 +103,7 @@
 								</h3>
 							</div>
 							<div class="modal-body">
-								<img src="${ fn:escapeXml(client.logoUri) }" />
+								<img src="api/clients/${ client.id }/logo" />
 								<c:if test="${ not empty client.clientUri }">
 									<a href="<c:out value="${ client.clientUri }" />"><c:out value="${ client.clientUri }" /></a>
 								</c:if>
diff --git a/openid-connect-server-webapp/src/main/webapp/resources/template/client.html b/openid-connect-server-webapp/src/main/webapp/resources/template/client.html
index 3a0c0e6ff..820e8b888 100644
--- a/openid-connect-server-webapp/src/main/webapp/resources/template/client.html
+++ b/openid-connect-server-webapp/src/main/webapp/resources/template/client.html
@@ -31,7 +31,7 @@
 
 		<div class="media">
 			<% if (client.logoUri) { %>
-				<span class="pull-left"><img class="media-object client-logo" src="<%- client.logoUri %>"></span>
+				<span class="pull-left"><img class="media-object client-logo" src="api/clients/<%- client.id ->/logo"></span>
 			<% } %>
 
 			<div class="media-body">
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/InMemoryClientLogoLoadingService.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/InMemoryClientLogoLoadingService.java
new file mode 100644
index 000000000..ee055505b
--- /dev/null
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/InMemoryClientLogoLoadingService.java
@@ -0,0 +1,115 @@
+/*******************************************************************************
+ * Copyright 2015 The MITRE Corporation
+ *   and the MIT Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package org.mitre.openid.connect.service.impl;
+
+import java.io.IOException;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import org.apache.commons.io.IOUtils;
+import org.apache.http.HttpEntity;
+import org.apache.http.HttpException;
+import org.apache.http.HttpResponse;
+import org.apache.http.client.HttpClient;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.mitre.oauth2.model.ClientDetailsEntity;
+import org.mitre.openid.connect.model.CachedImage;
+import org.mitre.openid.connect.service.ClientLogoLoadingService;
+import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
+import org.springframework.stereotype.Service;
+
+import com.google.common.base.Strings;
+import com.google.common.cache.CacheBuilder;
+import com.google.common.cache.CacheLoader;
+import com.google.common.cache.LoadingCache;
+import com.google.common.util.concurrent.UncheckedExecutionException;
+
+/**
+ * @author jricher
+ *
+ */
+@Service("inMemoryClientLogoLoadingService")
+public class InMemoryClientLogoLoadingService implements ClientLogoLoadingService {
+
+	private LoadingCache<ClientDetailsEntity, CachedImage> cache;
+	
+	
+	/**
+	 * 
+	 */
+	public InMemoryClientLogoLoadingService() {
+		
+		cache = CacheBuilder.newBuilder()
+				.maximumSize(100)
+				.expireAfterAccess(14, TimeUnit.DAYS)
+				.build(new ClientLogoFetcher());
+		
+	}
+	
+	
+	/* (non-Javadoc)
+	 * @see org.mitre.openid.connect.service.ClientLogoLoadingService#getLogo(org.mitre.oauth2.model.ClientDetailsEntity)
+	 */
+	@Override
+	public CachedImage getLogo(ClientDetailsEntity client) {
+		try {
+			if (client != null && !Strings.isNullOrEmpty(client.getLogoUri())) {
+				return cache.get(client);
+			} else {
+				return null;
+			}
+		} catch (UncheckedExecutionException | ExecutionException e) {
+			return null;
+		}
+	}
+
+	/**
+	 * @author jricher
+	 *
+	 */
+	public class ClientLogoFetcher extends CacheLoader<ClientDetailsEntity, CachedImage> {
+		private HttpClient httpClient = HttpClientBuilder.create().useSystemProperties().build();
+		private HttpComponentsClientHttpRequestFactory httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
+
+		/* (non-Javadoc)
+		 * @see com.google.common.cache.CacheLoader#load(java.lang.Object)
+		 */
+		@Override
+		public CachedImage load(ClientDetailsEntity key) throws Exception {
+			try {
+				HttpResponse response = httpClient.execute(new HttpGet(key.getLogoUri()));
+				
+				HttpEntity entity = response.getEntity();
+				
+				CachedImage image = new CachedImage();
+				
+				image.setContentType(entity.getContentType().getValue());
+				image.setLength(entity.getContentLength());
+				image.setData(IOUtils.toByteArray(entity.getContent()));
+				
+				return image;
+			} catch (IOException e) {
+				throw new IllegalArgumentException("Unable to load client image.");
+			}
+		}
+
+	}
+
+
+}
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java
index db95245f9..40222043f 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java
@@ -24,6 +24,8 @@ import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod;
 import org.mitre.oauth2.service.ClientDetailsEntityService;
 import org.mitre.oauth2.web.AuthenticationUtilities;
+import org.mitre.openid.connect.model.CachedImage;
+import org.mitre.openid.connect.service.ClientLogoLoadingService;
 import org.mitre.openid.connect.view.ClientEntityViewForAdmins;
 import org.mitre.openid.connect.view.ClientEntityViewForUsers;
 import org.mitre.openid.connect.view.HttpCodeView;
@@ -32,8 +34,10 @@ import org.mitre.openid.connect.view.JsonErrorView;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.Authentication;
 import org.springframework.stereotype.Controller;
@@ -74,6 +78,9 @@ public class ClientAPI {
 	@Autowired
 	private ClientDetailsEntityService clientService;
 
+	@Autowired
+	private ClientLogoLoadingService clientLogoLoadingService;
+
 	private JsonParser parser = new JsonParser();
 
 	private Gson gson = new GsonBuilder()
@@ -393,5 +400,30 @@ public class ClientAPI {
 			return ClientEntityViewForUsers.VIEWNAME;
 		}
 	}
+	
+	/**
+	 * Get the logo image for a client
+	 * @param id
+	 */
+	 @RequestMapping(value = "/{id}/logo", method=RequestMethod.GET, produces = { MediaType.IMAGE_GIF_VALUE, MediaType.IMAGE_JPEG_VALUE, MediaType.IMAGE_PNG_VALUE })
+	 public ResponseEntity<byte[]> getClientLogo(@PathVariable("id") Long id, Model model) {
+		 
+			ClientDetailsEntity client = clientService.getClientById(id);
+
+			if (client == null) {
+				return new ResponseEntity<>(HttpStatus.NOT_FOUND);
+			} else if (Strings.isNullOrEmpty(client.getLogoUri())) {
+				return new ResponseEntity<>(HttpStatus.NOT_FOUND);
+			} else {
+				// get the image from cache
+				CachedImage image = clientLogoLoadingService.getLogo(client);
+				
+				HttpHeaders headers = new HttpHeaders();
+				headers.setContentType(MediaType.parseMediaType(image.getContentType()));
+				headers.setContentLength(image.getLength());
+				
+				return new ResponseEntity<>(image.getData(), headers, HttpStatus.OK);
+			}
+	 }
 
 }