Merge branch 'develop'

Release SSO Connector 2.1.1

Signed-off-by: Can Berk Güder <[email protected]>

Author: Hieu Nguyen

README.md

@@ -18,7 +18,7 @@ security.oauth2.client.userAuthorizationUri  |  {ssoServiceUrl}/oauth/authorize
 security.oauth2.client.accessTokenUri  |  {ssoServiceUrl}/oauth/token
 security.oauth2.resource.userInfoUri  |  {ssoServiceUrl}/userinfo
 security.oauth2.resource.tokenInfoUri  |  {ssoServiceUrl}/check_token
-security.oauth2.resource.jwt.keyUri  |  {ssoServiceUrl}/token_key
+security.oauth2.resource.jwk.key-set-uri  |  {ssoServiceUrl}/token_keys
 
 Note: ssoServiceUrl refers to the service uri corresponding to a Pivotal Single Sign-On service plan. For more information on configuring a service plan please refer to http://docs.pivotal.io/p-identity/index.html#create-plan
 

build.gradle

@@ -54,10 +54,12 @@ artifacts {
 
 dependencies {
     compile 'org.springframework.cloud:spring-cloud-starter-oauth2'
+    compile 'org.springframework.security.oauth:spring-security-oauth2:2.2.0.RELEASE'
     compile 'org.springframework.cloud:spring-cloud-spring-service-connector'
     compile 'org.springframework.cloud:spring-cloud-cloudfoundry-connector'
     testCompile group: 'org.springframework.boot', name: 'spring-boot-starter-test'
-    testCompile group: 'org.springframework.cloud', name: 'spring-cloud-cloudfoundry-connector', version: '1.1.1.RELEASE', classifier: 'tests'
+    testCompile group: 'org.springframework.cloud', name: 'spring-cloud-cloudfoundry-connector', classifier: 'tests'
+    testCompile group: 'io.specto', name: 'hoverfly-java', version: '0.8.0'
 }
 
 task wrapper(type: Wrapper) {
@@ -83,6 +85,10 @@ uploadArchives {
             authentication(userName: ossrhUsername, password: ossrhPassword)
         }
 
+        pom.whenConfigured { pom ->
+            pom.dependencies = pom.dependencies.findAll { dep -> dep.scope != 'test' }
+        }
+
         pom.project {
             name 'Spring Cloud SSO Connector'
             description 'Spring Cloud Connector Extension for Single Sign-On Service on Pivotal Cloud Foundry'

gradle.properties

@@ -1,4 +1,4 @@
-version=2.0.0.RELEASE
+version=2.1.1.RELEASE
 
 ossrhUsername=
 ossrhPassword=

src/main/java/io/pivotal/spring/cloud/IssuerCheckConfiguration.java

@@ -0,0 +1,34 @@
+package io.pivotal.spring.cloud;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.oauth2.client.discovery.ProviderConfiguration;
+import org.springframework.security.oauth2.client.discovery.ProviderDiscoveryClient;
+import org.springframework.security.oauth2.provider.token.TokenStore;
+import org.springframework.security.oauth2.provider.token.store.IssuerClaimVerifier;
+import org.springframework.security.oauth2.provider.token.store.jwk.JwkTokenStore;
+
+import java.net.MalformedURLException;
+
+@Configuration
+public class IssuerCheckConfiguration {
+    @Value("${ssoServiceUrl}")
+    private String ssoServiceUrl;
+
+    @Value("${security.oauth2.resource.jwk.key-set-uri}")
+    private String keySetUri;
+
+    @Bean
+    public TokenStore jwkTokenStore() throws MalformedURLException {
+        ProviderDiscoveryClient discoveryClient = new ProviderDiscoveryClient(ssoServiceUrl);
+        ProviderConfiguration providerConfiguration = discoveryClient.discover();
+
+        IssuerClaimVerifier issuerClaimVerifier = new IssuerClaimVerifier(providerConfiguration.getIssuer());
+
+        return new JwkTokenStore(
+            keySetUri,
+            issuerClaimVerifier
+        );
+    }
+}

src/main/java/io/pivotal/spring/cloud/SsoServiceCredentialsListener.java

@@ -6,53 +6,36 @@
 import org.springframework.cloud.CloudFactory;
 import org.springframework.cloud.service.ServiceInfo;
 import org.springframework.context.ApplicationListener;
-import org.springframework.context.annotation.Configuration;
 import org.springframework.core.env.MapPropertySource;
 
 import java.util.HashMap;
 import java.util.Map;
 
-@Configuration
 public class SsoServiceCredentialsListener implements ApplicationListener<ApplicationEnvironmentPreparedEvent> {
-
-    private static final String PROPERTY_SOURCE_NAME = "vcapPivotalSso";
-    private static final String SPRING_OAUTH2_CLIENT_ID = "security.oauth2.client.clientId";
-    private static final String SPRING_OAUTH2_CLIENT_SECRET = "security.oauth2.client.clientSecret";
-    private static final String SPRING_OAUTH2_AUTHORIZE_URI = "security.oauth2.client.userAuthorizationUri";
-    private static final String SPRING_OAUTH2_KEY_URI = "security.oauth2.resource.jwt.keyUri";
-    private static final String SPRING_OAUTH2_ACCESS_TOKEN_URI = "security.oauth2.client.accessTokenUri";
-    private static final String SSO_SERVICE_URL = "ssoServiceUrl";
-    private static final String SPRING_OAUTH2_USER_INFO_URI = "security.oauth2.resource.userInfoUri";
-    private static final String SPRING_OAUTH2_TOKEN_INFO_URI = "security.oauth2.resource.tokenInfoUri";
-
     private Cloud cloud;
 
     @Override
     public void onApplicationEvent(ApplicationEnvironmentPreparedEvent event) {
-        if (cloud != null) {
-            return;
-        }
-
+        if (cloud != null) return;
         try {
             cloud = new CloudFactory().getCloud();
         } catch (CloudException e) {
-            // not running on a known cloud environment, so nothing to do
-            return;
+            return; // not running on a known cloud environment, so nothing to do
         }
 
         for (ServiceInfo serviceInfo : cloud.getServiceInfos()) {
             if (serviceInfo instanceof SsoServiceInfo) {
-                Map<String, Object> map = new HashMap<String, Object>();
+                Map<String, Object> map = new HashMap<>();
                 SsoServiceInfo ssoServiceInfo = (SsoServiceInfo) serviceInfo;
-                map.put(SPRING_OAUTH2_CLIENT_ID, ssoServiceInfo.getClientId());
-                map.put(SPRING_OAUTH2_CLIENT_SECRET, ssoServiceInfo.getClientSecret());
-                map.put(SPRING_OAUTH2_ACCESS_TOKEN_URI, ssoServiceInfo.getAuthDomain() + "/oauth/token");
-                map.put(SPRING_OAUTH2_AUTHORIZE_URI, ssoServiceInfo.getAuthDomain() + "/oauth/authorize");
-                map.put(SPRING_OAUTH2_KEY_URI, ssoServiceInfo.getAuthDomain() + "/token_key");
-                map.put(SSO_SERVICE_URL, ssoServiceInfo.getAuthDomain());
-                map.put(SPRING_OAUTH2_USER_INFO_URI, ssoServiceInfo.getAuthDomain() + "/userinfo");
-                map.put(SPRING_OAUTH2_TOKEN_INFO_URI, ssoServiceInfo.getAuthDomain() + "/check_token");
-                MapPropertySource mapPropertySource = new MapPropertySource(PROPERTY_SOURCE_NAME, map);
+                map.put("security.oauth2.client.clientId", ssoServiceInfo.getClientId());
+                map.put("security.oauth2.client.clientSecret", ssoServiceInfo.getClientSecret());
+                map.put("security.oauth2.client.accessTokenUri", ssoServiceInfo.getAuthDomain() + "/oauth/token");
+                map.put("security.oauth2.client.userAuthorizationUri", ssoServiceInfo.getAuthDomain() + "/oauth/authorize");
+                map.put("ssoServiceUrl", ssoServiceInfo.getAuthDomain());
+                map.put("security.oauth2.resource.userInfoUri", ssoServiceInfo.getAuthDomain() + "/userinfo");
+                map.put("security.oauth2.resource.tokenInfoUri", ssoServiceInfo.getAuthDomain() + "/check_token");
+                map.put("security.oauth2.resource.jwk.key-set-uri", ssoServiceInfo.getAuthDomain() + "/token_keys");
+                MapPropertySource mapPropertySource = new MapPropertySource("vcapPivotalSso", map);
 
                 event.getEnvironment().getPropertySources().addFirst(mapPropertySource);
             }

src/main/resources/META-INF/spring.factories

@@ -1,2 +1,4 @@
 org.springframework.context.ApplicationListener=\
 io.pivotal.spring.cloud.SsoServiceCredentialsListener
+org.springframework.boot.autoconfigure.EnableAutoConfiguration=\
+io.pivotal.spring.cloud.IssuerCheckConfiguration

src/test/java/io/pivotal/spring/cloud/IssuerCheckConfigurationTest.java

@@ -0,0 +1,50 @@
+package io.pivotal.spring.cloud;
+
+import io.specto.hoverfly.junit.rule.HoverflyRule;
+import org.junit.Assert;
+import org.junit.ClassRule;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExpectedException;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
+import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
+import org.springframework.security.oauth2.provider.token.TokenStore;
+import org.springframework.test.context.TestPropertySource;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+
+@RunWith(SpringJUnit4ClassRunner.class)
+@EnableAutoConfiguration
+@TestPropertySource(properties = {
+    "ssoServiceUrl=https://cf-identity-eng-test1.login.run.pivotal.io",
+    "security.oauth2.resource.jwk.key-set-uri=https://cf-identity-eng-test1.login.run.pivotal.io/token_keys"
+})
+public class IssuerCheckConfigurationTest {
+    @ClassRule
+    public static HoverflyRule hoverflyRule = HoverflyRule.inCaptureOrSimulationMode("IssuerCheckConfigurationTest.json");
+
+    @Rule
+    public ExpectedException thrown = ExpectedException.none();
+
+    @Autowired
+    TokenStore jwkTokenStore;
+
+    @Test
+    public void permitsAValidAccessTokenWithTheCorrectIssuer() {
+        String accessTokenForZone1 = "eyJhbGciOiJSUzI1NiIsImtpZCI6InNoYTItMjAxNy0wMS0yMC1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiI5MThjZjc0Yzk5NTM0MDhhYjczZTI3YjI4ZGM3NzFmNCIsInN1YiI6ImNmLWlkZW50aXR5LWVuZy10ZXN0MS1jbGllbnQiLCJhdXRob3JpdGllcyI6WyJ1YWEubm9uZSJdLCJzY29wZSI6WyJ1YWEubm9uZSJdLCJjbGllbnRfaWQiOiJjZi1pZGVudGl0eS1lbmctdGVzdDEtY2xpZW50IiwiY2lkIjoiY2YtaWRlbnRpdHktZW5nLXRlc3QxLWNsaWVudCIsImF6cCI6ImNmLWlkZW50aXR5LWVuZy10ZXN0MS1jbGllbnQiLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwicmV2X3NpZyI6IjVhNzk3NmFlIiwiaWF0IjoxNTAxMTkyODMzLCJleHAiOjE1MDEyMzYwMzMsImlzcyI6Imh0dHBzOi8vY2YtaWRlbnRpdHktZW5nLXRlc3QxLnVhYS5ydW4ucGl2b3RhbC5pby9vYXV0aC90b2tlbiIsInppZCI6ImZiYjYxNjk3LWMwZDctNDg4Zi1hZTFlLTEwMmRiMjk5YjgzMCIsImF1ZCI6WyJjZi1pZGVudGl0eS1lbmctdGVzdDEtY2xpZW50Il19.N6kEA4xXGm9--HAaCA40kaEymH9ON3JSeARU1ZvdvpX_P7E_grq-RFZquAmGvk0_UWBTBlz61pM7HClz7UxKnTJVCLkcCzaokDFjDVhFwRxAiAQ2tdUtEPxxOW7xUoyzIBk6RhdAckOX4kgAj1GXKc4SBHdJed-FXao3VIW5Z1YbpwUTHKnX9q8W5hE_dSIzd6X61r3oIi1WrqHCjkABQys9Osu8VBIjLtYIVut_PR14chZu0swPrVU2L0ncdS28lpYvrJWX_2LbJsoqix2mLcsQ26NBz3skusdJF0buq4Wnb3oz7w-NtWCSLOrhfKDUaIoK3-7f8AXdqWaND7wF0A";
+
+        OAuth2AccessToken oAuth2AccessToken = jwkTokenStore.readAccessToken(accessTokenForZone1);
+        Assert.assertEquals(oAuth2AccessToken.getAdditionalInformation().get("iss"), "https://cf-identity-eng-test1.uaa.run.pivotal.io/oauth/token");
+    }
+
+    @Test
+    public void rejectsAValidAccessTokenWithADifferentIssuer() {
+        thrown.expect(InvalidTokenException.class);
+        thrown.expectMessage("Invalid Issuer (iss) claim: https://cf-identity-eng-test2.uaa.run.pivotal.io/oauth/token");
+
+        String accessTokenForZone2 = "eyJhbGciOiJSUzI1NiIsImtpZCI6InNoYTItMjAxNy0wMS0yMC1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiI5ZDQzZGI3ZmE2MGU0MmRmOTA4OWYxYTBkZmZlMGYxMSIsInN1YiI6ImNmLWlkZW50aXR5LWVuZy10ZXN0Mi1jbGllbnQiLCJhdXRob3JpdGllcyI6WyJ1YWEubm9uZSJdLCJzY29wZSI6WyJ1YWEubm9uZSJdLCJjbGllbnRfaWQiOiJjZi1pZGVudGl0eS1lbmctdGVzdDItY2xpZW50IiwiY2lkIjoiY2YtaWRlbnRpdHktZW5nLXRlc3QyLWNsaWVudCIsImF6cCI6ImNmLWlkZW50aXR5LWVuZy10ZXN0Mi1jbGllbnQiLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwicmV2X3NpZyI6IjFmNTI0ZDAzIiwiaWF0IjoxNTAxMTkyODk1LCJleHAiOjE1MDEyMzYwOTUsImlzcyI6Imh0dHBzOi8vY2YtaWRlbnRpdHktZW5nLXRlc3QyLnVhYS5ydW4ucGl2b3RhbC5pby9vYXV0aC90b2tlbiIsInppZCI6Ijg4NDIxNmJiLWQyNjYtNDA3Mi1iZGIyLWNjZTEyZDc1NDkxNCIsImF1ZCI6WyJjZi1pZGVudGl0eS1lbmctdGVzdDItY2xpZW50Il19.Phmg3vtQOdzhtq3A_G6DOsckwp7u-ANLrXq_DktSyETV-0nmPLrjbAEjxzPROJKuwNrFFMjLCr5ZsbEMa-gV2zXvEKl3B5Wf4S2FZaXnEZmmzkYlQ5PRAYKYzQKJJC6dSicLRAXJdMloktqN94y27BJ8loi9qOGtpSTMZ95Z5M3fjU3fjExN0I8TQwFFZ3a2f_3zmaotb2HEtJtNmdV-wdROMcvO_kmbNVTNCUi-TW9y4gp3VQ8B84c65yXw3tvsmmiF9s8nvcPqyXuSmjkx5XaFRXlctk1D3Aztj2Yj3_tJIPZDIEUicBXCo1UoSSdOQ7iRsiGChmK6vWjdtf7vkg";
+        jwkTokenStore.readAccessToken(accessTokenForZone2);
+    }
+}

src/test/java/io/pivotal/spring/cloud/SsoServiceCredentialsListenerTest.java

@@ -17,22 +17,20 @@
 import static org.mockito.Mockito.when;
 
 @RunWith(SpringJUnit4ClassRunner.class)
-@SpringBootTest(classes = SsoServiceCredentialsListenerTest.TestConfig.class)
+@SpringBootTest(classes = SsoServiceCredentialsListener.class)
 public class SsoServiceCredentialsListenerTest {
-
-    private static SsoServiceInfo info = Mockito.mock(SsoServiceInfo.class);
+    private static SsoServiceInfo ssoServiceInfo = Mockito.mock(SsoServiceInfo.class);
 
     @Autowired
     private Environment environment;
 
     @BeforeClass
     public static void beforeClass() {
         when(MockCloudConnector.instance.isInMatchingCloud()).thenReturn(true);
-        when(MockCloudConnector.instance.getServiceInfos()).thenReturn(Collections.singletonList(
-            info));
-        when(info.getClientId()).thenReturn("test-client-id");
-        when(info.getClientSecret()).thenReturn("test-client-secret");
-        when(info.getAuthDomain()).thenReturn("test-auth-domain");
+        when(MockCloudConnector.instance.getServiceInfos()).thenReturn(Collections.singletonList(ssoServiceInfo));
+        when(ssoServiceInfo.getClientId()).thenReturn("test-client-id");
+        when(ssoServiceInfo.getClientSecret()).thenReturn("test-client-secret");
+        when(ssoServiceInfo.getAuthDomain()).thenReturn("test-auth-domain");
     }
 
     @AfterClass
@@ -46,12 +44,9 @@ public void addClientCredentials() {
         assertEquals("test-client-secret", environment.getProperty("security.oauth2.client.clientSecret"));
         assertEquals("test-auth-domain/oauth/token", environment.getProperty("security.oauth2.client.accessTokenUri"));
         assertEquals("test-auth-domain/oauth/authorize", environment.getProperty("security.oauth2.client.userAuthorizationUri"));
-        assertEquals("test-auth-domain/token_key", environment.getProperty("security.oauth2.resource.jwt.keyUri"));
+        assertEquals("test-auth-domain/token_keys", environment.getProperty("security.oauth2.resource.jwk.key-set-uri"));
         assertEquals("test-auth-domain/userinfo", environment.getProperty("security.oauth2.resource.userInfoUri"));
         assertEquals("test-auth-domain/check_token", environment.getProperty("security.oauth2.resource.tokenInfoUri"));
         assertEquals("test-auth-domain", environment.getProperty("ssoServiceUrl"));
     }
-
-    public static class TestConfig {
-    }
 }