Merge pull request indigo-iam#416 from indigo-iam/release-v1.7.1

Release v1.7.1
sam-glendenning · Sep 11, 2021 · 0c674fb · 0c674fb
2 parents afde07c + f6bb42b
commit 0c674fb
Show file tree

Hide file tree

Showing 17 changed files with 325 additions and 112 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,20 @@
 # Changelog
 
+## 1.7.1 (2021-09-13)
+
+This release provides changes and bug fixes to the IAM test client application.
+
+### Added
+
+- The IAM test client application, in its default configuration, no longer
+  exposes tokens, but only the claims contained in tokens. It's possible to
+  revert to the previous behavior by setting the `IAM_CLIENT_HIDE_TOKENS=false`
+  environment variable (#414)
+
+### Fixed
+
+- A problem that prevented the correct behaviour of the IAM test client has
+  been fixed (#415)
 
 ## 1.7.0 (2021-09-02)
 

diff --git a/iam-common/pom.xml b/iam-common/pom.xml
@@ -7,7 +7,7 @@
   <parent>
     <groupId>it.infn.mw</groupId>
     <artifactId>iam-parent</artifactId>
-    <version>1.7.0</version>
+    <version>1.7.1</version>
   </parent>
 
   <artifactId>iam-common</artifactId>

diff --git a/iam-login-service/pom.xml b/iam-login-service/pom.xml
@@ -23,7 +23,7 @@
   <parent>
     <groupId>it.infn.mw</groupId>
     <artifactId>iam-parent</artifactId>
-    <version>1.7.0</version>
+    <version>1.7.1</version>
   </parent>
 
   <artifactId>iam-login-service</artifactId>

diff --git a/iam-login-service/src/main/webapp/resources/iam/apps/saml-discovery/discovery.component.js b/iam-login-service/src/main/webapp/resources/iam/apps/saml-discovery/discovery.component.js
@@ -48,8 +48,11 @@
     };
 
     self.storeIdpChoice = function(){
+      var today = new Date();
+      var exp = today;
+      exp.setMonth(today.getMonth() + 12); 
       if ($scope.rememberChoice === 'y'){
-        $cookies.putObject(COOKIE_KEY, $scope.idpSelected);
+        $cookies.putObject(COOKIE_KEY, $scope.idpSelected, { expires: exp });
       }
     };
 

diff --git a/iam-persistence/pom.xml b/iam-persistence/pom.xml
@@ -23,7 +23,7 @@
   <parent>
     <groupId>it.infn.mw</groupId>
     <artifactId>iam-parent</artifactId>
-    <version>1.7.0</version>
+    <version>1.7.1</version>
   </parent>
   <artifactId>iam-persistence</artifactId>
   <packaging>jar</packaging>

diff --git a/iam-test-client/pom.xml b/iam-test-client/pom.xml
@@ -7,7 +7,7 @@
   <parent>
     <groupId>it.infn.mw</groupId>
     <artifactId>iam-parent</artifactId>
-    <version>1.7.0</version>
+    <version>1.7.1</version>
   </parent>
 
   <artifactId>iam-test-client</artifactId>

diff --git a/iam-test-client/src/main/java/it/infn/mw/tc/IamAuthRequestOptionsService.java b/iam-test-client/src/main/java/it/infn/mw/tc/IamAuthRequestOptionsService.java
@@ -0,0 +1,62 @@
+package it.infn.mw.tc;
+
+import static com.google.common.base.Strings.isNullOrEmpty;
+import static java.util.stream.Collectors.joining;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.mitre.oauth2.model.RegisteredClient;
+import org.mitre.openid.connect.client.service.AuthRequestOptionsService;
+import org.mitre.openid.connect.config.ServerConfiguration;
+
+import com.google.common.base.Splitter;
+import com.google.common.base.Strings;
+
+public class IamAuthRequestOptionsService implements AuthRequestOptionsService {
+
+  IamClientConfig properties;
+
+
+  public IamAuthRequestOptionsService(IamClientConfig properties) {
+    this.properties = properties;
+  }
+
+  private String sanitizeScope(String scope, RegisteredClient client) {
+    List<String> requestedScopes = Splitter.on(" ").splitToList(scope);
+    return requestedScopes.stream().filter(client.getScope()::contains).collect(joining(" "));
+  }
+
+  @Override
+  public Map<String, String> getOptions(ServerConfiguration server, RegisteredClient client,
+      HttpServletRequest request) {
+    Map<String, String> options = new HashMap<>();
+
+    if (!isNullOrEmpty(properties.getExtAuthnHint())) {
+      options.put("ext_authn_hint", properties.getExtAuthnHint());
+    }
+
+    if (request.getParameter("scope") != null) {
+      String sanitizedScope = sanitizeScope(request.getParameter("scope"), client);
+
+      if (!Strings.isNullOrEmpty(sanitizedScope)) {
+        options.put("scope", sanitizedScope);
+      }
+
+    }
+
+    return options;
+  }
+
+  @Override
+  public Map<String, String> getTokenOptions(ServerConfiguration server, RegisteredClient client,
+      HttpServletRequest request) {
+
+    return Collections.emptyMap();
+  }
+
+}
diff --git a/iam-test-client/src/main/java/it/infn/mw/tc/IamAuthRequestUrlBuilder.java b/iam-test-client/src/main/java/it/infn/mw/tc/IamAuthRequestUrlBuilder.java
@@ -0,0 +1,62 @@
+package it.infn.mw.tc;
+
+import java.net.URISyntaxException;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import org.apache.http.client.utils.URIBuilder;
+import org.mitre.oauth2.model.RegisteredClient;
+import org.mitre.openid.connect.client.service.AuthRequestUrlBuilder;
+import org.mitre.openid.connect.config.ServerConfiguration;
+import org.springframework.security.authentication.AuthenticationServiceException;
+
+import com.google.common.base.Joiner;
+import com.google.common.base.Strings;
+
+public class IamAuthRequestUrlBuilder implements AuthRequestUrlBuilder {
+
+
+  @Override
+  public String buildAuthRequestUrl(ServerConfiguration serverConfig, RegisteredClient clientConfig,
+      String redirectUri, String nonce, String state, Map<String, String> options,
+      String loginHint) {
+
+    try {
+
+      URIBuilder uriBuilder = new URIBuilder(serverConfig.getAuthorizationEndpointUri());
+      uriBuilder.addParameter("response_type", "code");
+      uriBuilder.addParameter("client_id", clientConfig.getClientId());
+
+      if (options.get("scope") != null) {
+        uriBuilder.addParameter("scope", options.get("scope"));
+      } else {
+        uriBuilder.addParameter("scope", Joiner.on(" ").join(clientConfig.getScope()));
+      }
+
+
+      uriBuilder.addParameter("redirect_uri", redirectUri);
+
+      uriBuilder.addParameter("nonce", nonce);
+
+      uriBuilder.addParameter("state", state);
+
+      // Optional parameters:
+      for (Entry<String, String> option : options.entrySet()) {
+        uriBuilder.addParameter(option.getKey(), option.getValue());
+      }
+
+      // if there's a login hint, send it
+      if (!Strings.isNullOrEmpty(loginHint)) {
+        uriBuilder.addParameter("login_hint", loginHint);
+      }
+
+      return uriBuilder.build().toString();
+
+    } catch (URISyntaxException e) {
+      throw new AuthenticationServiceException("Malformed Authorization Endpoint Uri", e);
+
+    }
+
+  }
+
+}
diff --git a/iam-test-client/src/main/java/it/infn/mw/tc/IamClient.java b/iam-test-client/src/main/java/it/infn/mw/tc/IamClient.java
@@ -25,9 +25,8 @@
 import org.mitre.oauth2.model.RegisteredClient;
 import org.mitre.openid.connect.client.OIDCAuthenticationFilter;
 import org.mitre.openid.connect.client.OIDCAuthenticationProvider;
+import org.mitre.openid.connect.client.service.AuthRequestOptionsService;
 import org.mitre.openid.connect.client.service.IssuerService;
-import org.mitre.openid.connect.client.service.impl.PlainAuthRequestUrlBuilder;
-import org.mitre.openid.connect.client.service.impl.StaticAuthRequestOptionsService;
 import org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService;
 import org.mitre.openid.connect.client.service.impl.StaticSingleIssuerService;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -72,7 +71,7 @@ public OIDCAuthenticationFilter openIdConnectAuthenticationFilter()
 
     filter.setClientConfigurationService(staticClientConfiguration());
     filter.setAuthRequestOptionsService(authOptions());
-    filter.setAuthRequestUrlBuilder(new PlainAuthRequestUrlBuilder());
+    filter.setAuthRequestUrlBuilder(new IamAuthRequestUrlBuilder());
     filter.setHttpRequestFactory(httpRequestFactory());
 
 
@@ -120,9 +119,9 @@ private StaticClientConfigurationService staticClientConfiguration() {
     return config;
   }
 
-  private StaticAuthRequestOptionsService authOptions() {
+  private AuthRequestOptionsService authOptions() {
 
-    return new StaticAuthRequestOptionsService();
+    return new IamAuthRequestOptionsService(iamClientConfig);
   }
 
   public X509CertChainValidatorExt certificateValidator() {

diff --git a/iam-test-client/src/main/java/it/infn/mw/tc/IamClientConfig.java b/iam-test-client/src/main/java/it/infn/mw/tc/IamClientConfig.java
@@ -31,6 +31,8 @@ public void setUseGridTrustAnchors(boolean useGridTrustAnchors) {
   String extAuthnHint;
   TlsConfig tls;
 
+  boolean hideTokens = true;
+
   public IamClientConfig() {
     setTokenEndpointAuthMethod(AuthMethod.SECRET_BASIC);
   }
@@ -54,4 +56,12 @@ public void setExtAuthnHint(String extAuthnHint) {
   public void setOrganizationName(String organizationName) {
     this.organizationName = organizationName;
   }
+
+  public boolean isHideTokens() {
+    return hideTokens;
+  }
+
+  public void setHideTokens(boolean hideTokens) {
+    this.hideTokens = hideTokens;
+  }
 }
diff --git a/iam-test-client/src/main/java/it/infn/mw/tc/IamTestClientApplication.java b/iam-test-client/src/main/java/it/infn/mw/tc/IamTestClientApplication.java
@@ -2,9 +2,7 @@
 
 import java.io.IOException;
 import java.security.Principal;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.Map;
+import java.text.ParseException;
 
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
@@ -13,15 +11,11 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.mitre.oauth2.model.RegisteredClient;
 import org.mitre.openid.connect.client.OIDCAuthenticationFilter;
-import org.mitre.openid.connect.client.service.AuthRequestOptionsService;
-import org.mitre.openid.connect.config.ServerConfiguration;
 import org.mitre.openid.connect.model.OIDCAuthenticationToken;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
@@ -52,7 +46,7 @@
 import org.springframework.web.filter.OncePerRequestFilter;
 import org.springframework.web.util.WebUtils;
 
-import com.google.common.base.Strings;
+import com.nimbusds.jwt.JWTParser;
 
 @SpringBootApplication
 @EnableAutoConfiguration(exclude = {ErrorMvcAutoConfiguration.class})
@@ -69,9 +63,6 @@ public class IamTestClientApplication extends WebSecurityConfigurerAdapter {
 
   @Autowired
   ClientHttpRequestFactory requestFactory;
-
-  @Value("${iam.extAuthnHint}")
-  String extAuthnHint;
 
   public static void main(String[] args) {
 
@@ -89,38 +80,10 @@ public void commence(HttpServletRequest request, HttpServletResponse response,
     }
 
   }
-
-  public class ExtAuthnRequestOptionsService implements AuthRequestOptionsService{
 
-    final String authnHint;
-
-    public ExtAuthnRequestOptionsService(String hint) {
-      this.authnHint = hint;
-    }
-
-    @Override
-    public Map<String, String> getOptions(ServerConfiguration server, RegisteredClient client,
-        HttpServletRequest request) {
-      Map<String, String> m = new HashMap<>();
-      m.put("ext_authn_hint", authnHint);
-      return m;
-    }
-
-    @Override
-    public Map<String, String> getTokenOptions(ServerConfiguration server, RegisteredClient client,
-        HttpServletRequest request) {
-      return Collections.emptyMap();
-    }
-
-  }
 
   @Override
   protected void configure(HttpSecurity http) throws Exception {
-
-    if (!Strings.isNullOrEmpty(extAuthnHint)) {
-      oidcFilter.setAuthRequestOptionsService(new ExtAuthnRequestOptionsService(extAuthnHint));
-    }
-
     // @formatter:off
     http.antMatcher("/**").authorizeRequests()
         .antMatchers("/", "/user", "/error", "/openid_connect_login**", "/webjars/**").permitAll()
@@ -172,7 +135,32 @@ public OpenIDAuthentication info(Principal principal) {
 
     if (principal instanceof OIDCAuthenticationToken) {
       OIDCAuthenticationToken token = (OIDCAuthenticationToken) principal;
-      OpenIDAuthentication auth = new OpenIDAuthentication(token);
+      OpenIDAuthentication auth = new OpenIDAuthentication();
+
+      auth.setIssuer(token.getIssuer());
+      auth.setSub(token.getSub());
+
+      if (!clientConfig.isHideTokens()) {
+        auth.setAccessToken(token.getAccessTokenValue());
+        auth.setIdToken(token.getIdToken().getParsedString());
+        auth.setRefreshToken(token.getRefreshTokenValue());
+      }
+
+      try {
+        auth.setAccessTokenClaims(JWTParser.parse(token.getAccessTokenValue())
+          .getJWTClaimsSet()
+          .toJSONObject()
+          .toString());
+
+        auth.setIdTokenClaims(token.getIdToken().getJWTClaimsSet().toJSONObject().toString());
+      } catch (ParseException e) {
+        LOG.error(e.getMessage(), e);
+      }
+
+      auth.setName(token.getUserInfo().getName());
+      auth.setFamilyName(token.getUserInfo().getFamilyName());
+      auth.setUserInfo(token.getUserInfo().toJson().toString());
+
       return auth;
     }
 

diff --git a/iam-test-client/src/main/java/it/infn/mw/tc/LocalController.java b/iam-test-client/src/main/java/it/infn/mw/tc/LocalController.java
@@ -1,7 +1,9 @@
 package it.infn.mw.tc;
 
 import java.util.stream.Collectors;
+
 import javax.servlet.http.HttpServletRequest;
+
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.web.ErrorController;
 import org.springframework.http.client.ClientHttpRequestFactory;
@@ -35,6 +37,11 @@ public String organizationName() {
     return clientConfig.getOrganizationName();
   }
 
+  @ModelAttribute("hidesTokens")
+  public Boolean hidesTokens() {
+    return clientConfig.isHideTokens();
+  }
+
   @RequestMapping("/")
   public String index(Model model) {
     return "index";