Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 449A811051 for ; Wed, 20 Aug 2014 11:38:47 +0000 (UTC) Received: (qmail 74404 invoked by uid 500); 20 Aug 2014 11:38:47 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 74335 invoked by uid 500); 20 Aug 2014 11:38:47 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 74325 invoked by uid 99); 20 Aug 2014 11:38:47 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Aug 2014 11:38:47 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id 912E59541CE; Wed, 20 Aug 2014 11:38:46 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Message-Id: <6e923b2f40594a4999d849240feaaa03@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: git commit: [CXF-5960] Prototyping default encrypting providers Date: Wed, 20 Aug 2014 11:38:46 +0000 (UTC) Repository: cxf Updated Branches: refs/heads/3.0.x-fixes dd96a9d71 -> a3e071687 [CXF-5960] Prototyping default encrypting providers Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a3e07168 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a3e07168 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a3e07168 Branch: refs/heads/3.0.x-fixes Commit: a3e071687de318c17e7543a56c773849b5fa1442 Parents: dd96a9d Author: Sergey Beryozkin Authored: Wed Aug 20 12:36:34 2014 +0100 Committer: Sergey Beryozkin Committed: Wed Aug 20 12:38:21 2014 +0100 ---------------------------------------------------------------------- .../code/DefaultEncryptingCodeDataProvider.java | 98 ++++++++++++++++++++ .../provider/AbstractOAuthDataProvider.java | 16 ++-- .../DefaultEHCacheOAuthDataProvider.java | 8 +- .../DefaultEncryptingOAuthDataProvider.java | 93 +++++++++++++++++++ 4 files changed, 203 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/a3e07168/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEncryptingCodeDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEncryptingCodeDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEncryptingCodeDataProvider.java new file mode 100644 index 0000000..1959952 --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEncryptingCodeDataProvider.java @@ -0,0 +1,98 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.grants.code; + +import java.util.Collections; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +import javax.crypto.SecretKey; + +import org.apache.cxf.rs.security.oauth2.provider.DefaultEncryptingOAuthDataProvider; +import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; +import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils; +import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties; +import org.apache.cxf.rs.security.oauth2.utils.crypto.ModelEncryptionSupport; + +public class DefaultEncryptingCodeDataProvider extends DefaultEncryptingOAuthDataProvider + implements AuthorizationCodeDataProvider { + private long grantLifetime; + private Set grants = Collections.synchronizedSet(new HashSet()); + public DefaultEncryptingCodeDataProvider(String algo, int keySize) { + super(algo, keySize); + } + public DefaultEncryptingCodeDataProvider(KeyProperties props) { + super(props); + } + public DefaultEncryptingCodeDataProvider(SecretKey key) { + super(key); + } + @Override + public ServerAuthorizationCodeGrant createCodeGrant(AuthorizationCodeRegistration reg) + throws OAuthServiceException { + ServerAuthorizationCodeGrant grant = doCreateCodeGrant(reg); + saveAuthorizationGrant(grant); + return grant; + } + + @Override + public ServerAuthorizationCodeGrant removeCodeGrant(String code) throws OAuthServiceException { + grants.remove(code); + return ModelEncryptionSupport.decryptCodeGrant(this, code, key); + } + + protected ServerAuthorizationCodeGrant doCreateCodeGrant(AuthorizationCodeRegistration reg) + throws OAuthServiceException { + ServerAuthorizationCodeGrant grant = + new ServerAuthorizationCodeGrant(reg.getClient(), getCode(reg), getGrantLifetime(), getIssuedAt()); + grant.setApprovedScopes(getApprovedScopes(reg)); + grant.setAudience(reg.getAudience()); + grant.setClientCodeVerifier(reg.getClientCodeVerifier()); + grant.setSubject(reg.getSubject()); + grant.setRedirectUri(reg.getRedirectUri()); + return grant; + } + + protected List getApprovedScopes(AuthorizationCodeRegistration reg) { + return reg.getApprovedScope(); + } + + protected String getCode(AuthorizationCodeRegistration reg) { + return OAuthUtils.generateRandomTokenKey(); + } + + public long getGrantLifetime() { + return grantLifetime; + } + + public void setGrantLifetime(long lifetime) { + this.grantLifetime = lifetime; + } + + protected long getIssuedAt() { + return OAuthUtils.getIssuedAt(); + } + + protected void saveAuthorizationGrant(ServerAuthorizationCodeGrant grant) { + String encrypted = ModelEncryptionSupport.encryptCodeGrant(grant, key); + grant.setCode(encrypted); + grants.add(encrypted); + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/a3e07168/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java index 915d87f..7494d74 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java @@ -47,7 +47,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider { @Override public ServerAccessToken refreshAccessToken(Client client, String refreshTokenKey, List requestedScopes) throws OAuthServiceException { - RefreshToken oldRefreshToken = removeRefreshToken(client, refreshTokenKey); + RefreshToken oldRefreshToken = revokeRefreshToken(client, refreshTokenKey); ServerAccessToken serverToken = doRefreshAccessToken(client, oldRefreshToken, requestedScopes); saveAccessToken(serverToken); @@ -56,13 +56,13 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider { @Override public void revokeToken(Client client, String tokenKey, String tokenTypeHint) throws OAuthServiceException { - if (removeAccessToken(tokenKey)) { + if (revokeAccessToken(tokenKey)) { return; } - RefreshToken oldRefreshToken = removeRefreshToken(client, tokenKey); + RefreshToken oldRefreshToken = revokeRefreshToken(client, tokenKey); if (oldRefreshToken != null) { for (String accessTokenKey : oldRefreshToken.getAccessTokens()) { - removeAccessToken(accessTokenKey); + revokeAccessToken(accessTokenKey); } } } @@ -111,7 +111,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider { rt.setScopes(at.getScopes()); rt.getAccessTokens().add(at.getTokenKey()); at.setRefreshToken(rt.getTokenKey()); - saveRefreshToken(rt); + saveRefreshToken(at, rt); return rt; } @@ -142,8 +142,8 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider { } protected abstract void saveAccessToken(ServerAccessToken serverToken); - protected abstract void saveRefreshToken(RefreshToken refreshToken); - protected abstract boolean removeAccessToken(String accessTokenKey); - protected abstract RefreshToken removeRefreshToken(Client client, String refreshTokenKey); + protected abstract void saveRefreshToken(ServerAccessToken at, RefreshToken refreshToken); + protected abstract boolean revokeAccessToken(String accessTokenKey); + protected abstract RefreshToken revokeRefreshToken(Client client, String refreshTokenKey); } http://git-wip-us.apache.org/repos/asf/cxf/blob/a3e07168/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java index 4db4bbd..78ab702 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java @@ -77,14 +77,14 @@ public class DefaultEHCacheOAuthDataProvider extends AbstractOAuthDataProvider { @Override public void removeAccessToken(ServerAccessToken accessToken) throws OAuthServiceException { - removeAccessToken(accessToken.getTokenKey()); + revokeAccessToken(accessToken.getTokenKey()); } - protected boolean removeAccessToken(String accessTokenKey) { + protected boolean revokeAccessToken(String accessTokenKey) { return accessTokenCache.remove(accessTokenKey); } - protected RefreshToken removeRefreshToken(Client client, String refreshTokenKey) { + protected RefreshToken revokeRefreshToken(Client client, String refreshTokenKey) { RefreshToken refreshToken = getCacheValue(refreshTokenCache, refreshTokenKey, RefreshToken.class); if (refreshToken != null) { refreshTokenCache.remove(refreshTokenKey); @@ -96,7 +96,7 @@ public class DefaultEHCacheOAuthDataProvider extends AbstractOAuthDataProvider { putCacheValue(accessTokenCache, serverToken.getTokenKey(), serverToken, serverToken.getExpiresIn()); } - protected void saveRefreshToken(RefreshToken refreshToken) { + protected void saveRefreshToken(ServerAccessToken at, RefreshToken refreshToken) { putCacheValue(refreshTokenCache, refreshToken.getTokenKey(), refreshToken, refreshToken.getExpiresIn()); } http://git-wip-us.apache.org/repos/asf/cxf/blob/a3e07168/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEncryptingOAuthDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEncryptingOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEncryptingOAuthDataProvider.java new file mode 100644 index 0000000..bb510af --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEncryptingOAuthDataProvider.java @@ -0,0 +1,93 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.provider; + +import java.util.Collections; +import java.util.HashSet; +import java.util.Set; +import java.util.concurrent.ConcurrentHashMap; + +import javax.crypto.SecretKey; + +import org.apache.cxf.rs.security.oauth2.common.Client; +import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken; +import org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken; +import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; +import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties; +import org.apache.cxf.rs.security.oauth2.utils.crypto.ModelEncryptionSupport; + +public class DefaultEncryptingOAuthDataProvider extends AbstractOAuthDataProvider { + protected SecretKey key; + private Set tokens = Collections.synchronizedSet(new HashSet()); + private ConcurrentHashMap refreshTokens = new ConcurrentHashMap(); + + public DefaultEncryptingOAuthDataProvider(String algo, int keySize) { + this(new KeyProperties(algo, keySize)); + } + public DefaultEncryptingOAuthDataProvider(KeyProperties props) { + this(CryptoUtils.getSecretKey(props)); + } + public DefaultEncryptingOAuthDataProvider(SecretKey key) { + this.key = key; + } + + @Override + public Client getClient(String clientId) throws OAuthServiceException { + return null; + } + + @Override + public ServerAccessToken getAccessToken(String accessToken) throws OAuthServiceException { + return ModelEncryptionSupport.decryptAccessToken(this, accessToken, key); + } + + @Override + public void removeAccessToken(ServerAccessToken accessToken) throws OAuthServiceException { + revokeAccessToken(accessToken.getTokenKey()); + } + + @Override + protected void saveAccessToken(ServerAccessToken serverToken) { + encryptAccessToken(serverToken); + } + + @Override + protected boolean revokeAccessToken(String accessTokenKey) { + return tokens.remove(accessTokenKey); + } + + @Override + protected void saveRefreshToken(ServerAccessToken at, RefreshToken refreshToken) { + String encryptedRefreshToken = ModelEncryptionSupport.encryptRefreshToken(refreshToken, key); + at.setRefreshToken(encryptedRefreshToken); + } + + @Override + protected RefreshToken revokeRefreshToken(Client client, String refreshTokenKey) { + refreshTokens.remove(refreshTokenKey); + return ModelEncryptionSupport.decryptRefreshToken(this, refreshTokenKey, key); + } + + private void encryptAccessToken(ServerAccessToken token) { + String encryptedToken = ModelEncryptionSupport.encryptAccessToken(token, key); + tokens.add(encryptedToken); + refreshTokens.put(token.getRefreshToken(), encryptedToken); + token.setTokenKey(encryptedToken); + } +}