diff --git a/pom.xml b/pom.xml index 775beb4bcc..6afef91dbd 100644 --- a/pom.xml +++ b/pom.xml @@ -79,7 +79,7 @@ 0.17 3.0.16 2.4.1 - 5.7.5 + 5.8.2 7.7.10 5.2.2 5.2.3 @@ -901,6 +901,13 @@ + + org.springframework.security + spring-security-bom + ${dependency.spring-security.version} + pom + import + diff --git a/repository/pom.xml b/repository/pom.xml index ad364d58b7..1eb7bc1c06 100644 --- a/repository/pom.xml +++ b/repository/pom.xml @@ -387,14 +387,11 @@ org.springframework.security - spring-security-core - ${dependency.spring-security.version} - - - org.springframework - spring-expression - - + spring-security-crypto + + + org.springframework.security + spring-security-oauth2-client org.quartz-scheduler @@ -557,17 +554,6 @@ - - org.keycloak - keycloak-authz-client - ${dependency.keycloak.version} - - - * - * - - - org.keycloak keycloak-core diff --git a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/AuthenticatorAuthzClientFactoryBean.java b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/AuthenticatorAuthzClientFactoryBean.java deleted file mode 100644 index 47dafeccfc..0000000000 --- a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/AuthenticatorAuthzClientFactoryBean.java +++ /dev/null @@ -1,119 +0,0 @@ -/* - * #%L - * Alfresco Repository - * %% - * Copyright (C) 2005 - 2018 Alfresco Software Limited - * %% - * This file is part of the Alfresco software. - * If the software was purchased under a paid Alfresco license, the terms of - * the paid license agreement will prevail. Otherwise, the software is - * provided under the following open source license terms: - * - * Alfresco is free software: you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * Alfresco is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with Alfresco. If not, see . - * #L% - */ -package org.alfresco.repo.security.authentication.identityservice; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.http.client.HttpClient; -import org.keycloak.adapters.HttpClientBuilder; -import org.keycloak.authorization.client.AuthzClient; -import org.keycloak.authorization.client.Configuration; -import org.springframework.beans.factory.FactoryBean; - -import java.util.HashMap; -import java.util.Map; -import java.util.concurrent.TimeUnit; - -/** - * - * Creates an instance of {@link AuthzClient}.
- * The creation of {@link AuthzClient} requires connection to a Keycloak server, disable this factory if Keycloak cannot be reached.
- * This factory can return a null if it is disabled. - * - */ -public class AuthenticatorAuthzClientFactoryBean implements FactoryBean -{ - - private static Log logger = LogFactory.getLog(AuthenticatorAuthzClientFactoryBean.class); - private IdentityServiceConfig identityServiceConfig; - private boolean enabled; - - public void setEnabled(boolean enabled) - { - this.enabled = enabled; - } - - public void setIdentityServiceConfig(IdentityServiceConfig identityServiceConfig) - { - this.identityServiceConfig = identityServiceConfig; - } - - @Override - public AuthzClient getObject() throws Exception - { - // The creation of the client can be disabled for testing or when the username/password authentication is not required, - // for instance when Keycloak is configured for 'bearer only' authentication or Direct Access Grants are disabled. - if (!enabled) - { - return null; - } - - // Build default http client using the keycloak client builder. - int conTimeout = identityServiceConfig.getClientConnectionTimeout(); - int socTimeout = identityServiceConfig.getClientSocketTimeout(); - HttpClient client = new HttpClientBuilder() - .establishConnectionTimeout(conTimeout, TimeUnit.MILLISECONDS) - .socketTimeout(socTimeout, TimeUnit.MILLISECONDS) - .build(this.identityServiceConfig); - - // Add secret to credentials if needed. - // AuthzClient configuration needs credentials with a secret even if the client in Keycloak is configured as public. - Map credentials = identityServiceConfig.getCredentials(); - if (credentials == null || !credentials.containsKey("secret")) - { - credentials = credentials == null ? new HashMap<>() : new HashMap<>(credentials); - credentials.put("secret", ""); - } - - // Create default AuthzClient for authenticating users against keycloak - String authServerUrl = identityServiceConfig.getAuthServerUrl(); - String realm = identityServiceConfig.getRealm(); - String resource = identityServiceConfig.getResource(); - Configuration authzConfig = new Configuration(authServerUrl, realm, resource, credentials, client); - AuthzClient authzClient = AuthzClient.create(authzConfig); - - if (logger.isDebugEnabled()) - { - logger.debug(" Created Keycloak AuthzClient"); - logger.debug(" Keycloak AuthzClient server URL: " + authzClient.getConfiguration().getAuthServerUrl()); - logger.debug(" Keycloak AuthzClient realm: " + authzClient.getConfiguration().getRealm()); - logger.debug(" Keycloak AuthzClient resource: " + authzClient.getConfiguration().getResource()); - } - return authzClient; - } - - @Override - public Class getObjectType() - { - return AuthenticatorAuthzClientFactoryBean.class; - } - - @Override - public boolean isSingleton() - { - return true; - } -} diff --git a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponent.java b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponent.java index ccf6787de6..c63b2ff1c2 100644 --- a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponent.java +++ b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponent.java @@ -2,7 +2,7 @@ * #%L * Alfresco Repository * %% - * Copyright (C) 2005 - 2018 Alfresco Software Limited + * Copyright (C) 2005 - 2023 Alfresco Software Limited * %% * This file is part of the Alfresco software. * If the software was purchased under a paid Alfresco license, the terms of @@ -25,38 +25,35 @@ */ package org.alfresco.repo.security.authentication.identityservice; -import java.net.ConnectException; - -import org.alfresco.error.ExceptionStackUtil; import org.alfresco.repo.management.subsystems.ActivateableBean; import org.alfresco.repo.security.authentication.AbstractAuthenticationComponent; import org.alfresco.repo.security.authentication.AuthenticationException; +import org.alfresco.repo.security.authentication.identityservice.IdentityServiceAuthenticationComponent.OAuth2Client.CredentialsVerificationException; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.keycloak.authorization.client.AuthzClient; -import org.keycloak.authorization.client.util.HttpResponseException; /** * - * Authenticates a user against Keycloak. - * Keycloak's {@link AuthzClient} is used to retrieve an access token for the provided user credentials, - * user is set as the current user if the user's access token can be obtained. + * Authenticates a user against Identity Service (Keycloak). + * {@link OAuth2Client} is used to verify provided user credentials. User is set as the current user if the user + * credentials are valid. *
- * The AuthzClient can be null in which case this authenticator will just fall through to the next one in the chain. + * The {@link IdentityServiceAuthenticationComponent#oAuth2Client} can be null in which case this authenticator will + * just fall through to the next one in the chain. * */ public class IdentityServiceAuthenticationComponent extends AbstractAuthenticationComponent implements ActivateableBean { - private final Log logger = LogFactory.getLog(IdentityServiceAuthenticationComponent.class); - /** client used to authenticate user credentials against Keycloak **/ - private AuthzClient authzClient; + private final Log LOGGER = LogFactory.getLog(IdentityServiceAuthenticationComponent.class); + /** client used to authenticate user credentials against Authorization Server **/ + private OAuth2Client oAuth2Client; /** enabled flag for the identity service subsystem**/ private boolean active; private boolean allowGuestLogin; - public void setAuthenticatorAuthzClient(AuthzClient authenticatorAuthzClient) + public void setOAuth2Client(OAuth2Client oAuth2Client) { - this.authzClient = authenticatorAuthzClient; + this.oAuth2Client = oAuth2Client; } public void setAllowGuestLogin(boolean allowGuestLogin) @@ -67,49 +64,31 @@ public class IdentityServiceAuthenticationComponent extends AbstractAuthenticati public void authenticateImpl(String userName, char[] password) throws AuthenticationException { - if (authzClient == null) + if (oAuth2Client == null) { - if (logger.isDebugEnabled()) + if (LOGGER.isDebugEnabled()) { - logger.debug("AuthzClient was not set, possibly due to the 'identity-service.authentication.enable-username-password-authentication=false' property. "); + LOGGER.debug("OAuth2Client was not set, possibly due to the 'identity-service.authentication.enable-username-password-authentication=false' property."); } - throw new AuthenticationException("User not authenticated because AuthzClient was not set."); + throw new AuthenticationException("User not authenticated because OAuth2Client was not set."); } try { - // Attempt to get an access token using the user credentials - authzClient.obtainAccessToken(userName, new String(password)); + // Attempt to verify user credentials + oAuth2Client.verifyCredentials(userName, new String(password)); - // Successfully obtained access token so treat as authenticated user + // Verification was successful so treat as authenticated user setCurrentUser(userName); } - catch (HttpResponseException e) + catch (CredentialsVerificationException e) { - if (logger.isDebugEnabled()) - { - logger.debug("Failed to authenticate user against Keycloak. Status: " + e.getStatusCode() + " Reason: "+ e.getReasonPhrase()); - } - - throw new AuthenticationException("Failed to authenticate user against Keycloak.", e); + throw new AuthenticationException("Failed to verify user credentials against the OAuth2 Authorization Server.", e); } catch (RuntimeException e) { - Throwable cause = ExceptionStackUtil.getCause(e, ConnectException.class); - if (cause != null) - { - if (logger.isWarnEnabled()) - { - logger.warn("Couldn't connect to Keycloak server to authenticate user. Reason: " + cause.getMessage()); - } - throw new AuthenticationException("Couldn't connect to Keycloak server to authenticate user.", cause); - } - if (logger.isDebugEnabled()) - { - logger.debug("Error occurred while authenticating user against Keycloak. Reason: " + e.getMessage()); - } - throw new AuthenticationException("Error occurred while authenticating user against Keycloak.", e); + throw new AuthenticationException("Failed to verify user credentials.", e); } } @@ -129,4 +108,32 @@ public class IdentityServiceAuthenticationComponent extends AbstractAuthenticati { return allowGuestLogin; } + + /** + * An abstraction for acting as an OAuth2 Client + */ + interface OAuth2Client + { + /** + * The OAuth2's Client role is only used to verify the user credentials (Resource Owner Password + * Credentials Flow) this is why there is an explicit method for verifying these. + * @param userName user's name + * @param password user's password + * @throws CredentialsVerificationException when the verification failed or couldn't be performed + */ + void verifyCredentials(String userName, String password); + + class CredentialsVerificationException extends RuntimeException + { + CredentialsVerificationException(String message) + { + super(message); + } + + CredentialsVerificationException(String message, Throwable cause) + { + super(message, cause); + } + } + } } diff --git a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceConfig.java b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceConfig.java index 381b976063..6f66f26c81 100644 --- a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceConfig.java +++ b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceConfig.java @@ -2,7 +2,7 @@ * #%L * Alfresco Repository * %% - * Copyright (C) 2005 - 2016 Alfresco Software Limited + * Copyright (C) 2005 - 2023 Alfresco Software Limited * %% * This file is part of the Alfresco software. * If the software was purchased under a paid Alfresco license, the terms of @@ -26,6 +26,7 @@ package org.alfresco.repo.security.authentication.identityservice; import java.util.Map; +import java.util.Optional; import java.util.Properties; import java.util.TreeMap; @@ -33,6 +34,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.keycloak.representations.adapters.config.AdapterConfig; import org.springframework.beans.factory.InitializingBean; +import org.springframework.web.util.UriComponentsBuilder; /** * Class to hold configuration for the Identity Service. @@ -41,8 +43,9 @@ import org.springframework.beans.factory.InitializingBean; */ public class IdentityServiceConfig extends AdapterConfig implements InitializingBean { - private static Log logger = LogFactory.getLog(IdentityServiceConfig.class); - + private static final Log LOGGER = LogFactory.getLog(IdentityServiceConfig.class); + private static final String REALMS = "realms"; + private static final String SECRET = "secret"; private static final String CREDENTIALS_SECRET = "identity-service.credentials.secret"; private static final String CREDENTIALS_PROVIDER = "identity-service.credentials.provider"; @@ -95,13 +98,13 @@ public class IdentityServiceConfig extends AdapterConfig implements Initializing @Override public void afterPropertiesSet() throws Exception { - // programatically build the more complex objects i.e. credentials + // programmatically build the more complex objects i.e. credentials Map credentials = new TreeMap<>(String.CASE_INSENSITIVE_ORDER); String secret = this.globalProperties.getProperty(CREDENTIALS_SECRET); if (secret != null && !secret.isEmpty()) { - credentials.put("secret", secret); + credentials.put(SECRET, secret); } String provider = this.globalProperties.getProperty(CREDENTIALS_PROVIDER); @@ -116,10 +119,27 @@ public class IdentityServiceConfig extends AdapterConfig implements Initializing { this.setCredentials(credentials); - if (logger.isDebugEnabled()) + if (LOGGER.isDebugEnabled()) { - logger.debug("Created credentials map from config: " + credentials); + LOGGER.debug("Created credentials map from config: " + credentials); } } } + + String getIssuerUrl() + { + return UriComponentsBuilder.fromUriString(getAuthServerUrl()) + .pathSegment(REALMS, getRealm()) + .build() + .toString(); + } + + public String getClientSecret() + { + return Optional.ofNullable(getCredentials()) + .map(c -> c.get(SECRET)) + .filter(String.class::isInstance) + .map(String.class::cast) + .orElse(""); + } } diff --git a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/OAuth2ClientFactoryBean.java b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/OAuth2ClientFactoryBean.java new file mode 100644 index 0000000000..bcf01ebaf2 --- /dev/null +++ b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/OAuth2ClientFactoryBean.java @@ -0,0 +1,270 @@ +/* + * #%L + * Alfresco Repository + * %% + * Copyright (C) 2005 - 2023 Alfresco Software Limited + * %% + * This file is part of the Alfresco software. + * If the software was purchased under a paid Alfresco license, the terms of + * the paid license agreement will prevail. Otherwise, the software is + * provided under the following open source license terms: + * + * Alfresco is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * Alfresco is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with Alfresco. If not, see . + * #L% + */ +package org.alfresco.repo.security.authentication.identityservice; + +import java.util.Arrays; +import java.util.Objects; +import java.util.concurrent.atomic.AtomicReference; +import java.util.function.Supplier; + +import org.alfresco.repo.security.authentication.identityservice.IdentityServiceAuthenticationComponent.OAuth2Client; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.springframework.beans.factory.FactoryBean; +import org.springframework.http.client.SimpleClientHttpRequestFactory; +import org.springframework.http.converter.FormHttpMessageConverter; +import org.springframework.security.core.Authentication; +import org.springframework.security.oauth2.client.AuthorizedClientServiceOAuth2AuthorizedClientManager; +import org.springframework.security.oauth2.client.OAuth2AuthorizationContext; +import org.springframework.security.oauth2.client.OAuth2AuthorizeRequest; +import org.springframework.security.oauth2.client.OAuth2AuthorizedClient; +import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager; +import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProviderBuilder; +import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProviderBuilder.PasswordGrantBuilder; +import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService; +import org.springframework.security.oauth2.client.endpoint.DefaultPasswordTokenResponseClient; +import org.springframework.security.oauth2.client.http.OAuth2ErrorResponseErrorHandler; +import org.springframework.security.oauth2.client.registration.ClientRegistration; +import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; +import org.springframework.security.oauth2.client.registration.ClientRegistrations; +import org.springframework.security.oauth2.core.AuthorizationGrantType; +import org.springframework.security.oauth2.core.ClientAuthenticationMethod; +import org.springframework.security.oauth2.core.OAuth2AuthorizationException; +import org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter; +import org.springframework.web.client.RestTemplate; + +/** + * + * Creates an instance of {@link OAuth2Client}.
+ * The creation of {@link OAuth2Client} requires connection to the Identity Service (Keycloak), disable this factory if + * the server cannot be reached.
+ * This factory can return a null if it is disabled. + * + */ +public class OAuth2ClientFactoryBean implements FactoryBean +{ + + private static final Log LOGGER = LogFactory.getLog(OAuth2ClientFactoryBean.class); + private IdentityServiceConfig identityServiceConfig; + private boolean enabled; + + public void setEnabled(boolean enabled) + { + this.enabled = enabled; + } + + public void setIdentityServiceConfig(IdentityServiceConfig identityServiceConfig) + { + this.identityServiceConfig = identityServiceConfig; + } + + @Override + public OAuth2Client getObject() throws Exception + { + // The creation of the client can be disabled for testing or when the username/password authentication is not required, + // for instance when Keycloak is configured for 'bearer only' authentication or Direct Access Grants are disabled. + if (!enabled) + { + return null; + } + + // The OAuth2AuthorizedClientManager isn't created upfront to make the code resilient to Identity Service being down. + // If it's down the Application Context will start and when it's back online it can be used. + return new SpringOAuth2Client(this::createOAuth2AuthorizedClientManager); + } + + private OAuth2AuthorizedClientManager createOAuth2AuthorizedClientManager() + { + //Here we preserve the behaviour of previously used Keycloak Adapter + // * Client is authenticating itself using basic auth + // * Resource Owner Password Credentials Flow is used to authenticate Resource Owner + // * There is no caching of authenticated clients (NoStoredAuthorizedClient) + // * There is only one Authorization Server/Client pair (SingleClientRegistration) + + final ClientRegistration clientRegistration = ClientRegistrations + .fromIssuerLocation(identityServiceConfig.getIssuerUrl()) + .clientId(identityServiceConfig.getResource()) + .clientSecret(identityServiceConfig.getClientSecret()) + .authorizationGrantType(AuthorizationGrantType.PASSWORD) + .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC) + .registrationId(SpringOAuth2Client.CLIENT_REGISTRATION_ID) + .build(); + + final AuthorizedClientServiceOAuth2AuthorizedClientManager oauth2 = + new AuthorizedClientServiceOAuth2AuthorizedClientManager( + new SingleClientRegistration(clientRegistration), + new NoStoredAuthorizedClient()); + oauth2.setContextAttributesMapper(OAuth2AuthorizeRequest::getAttributes); + oauth2.setAuthorizedClientProvider(OAuth2AuthorizedClientProviderBuilder.builder() + .password(this::configureTimeouts) + .build()); + + if (LOGGER.isDebugEnabled()) + { + LOGGER.debug(" Created OAuth2 Client"); + LOGGER.debug(" OAuth2 Issuer URL: " + clientRegistration.getProviderDetails().getIssuerUri()); + LOGGER.debug(" OAuth2 ClientId: " + clientRegistration.getClientId()); + } + + return oauth2; + } + + private void configureTimeouts(PasswordGrantBuilder builder) + { + final SimpleClientHttpRequestFactory requestFactory = new SimpleClientHttpRequestFactory(); + requestFactory.setConnectTimeout(identityServiceConfig.getClientConnectionTimeout()); + requestFactory.setReadTimeout(identityServiceConfig.getClientSocketTimeout()); + + final RestTemplate restTemplate = new RestTemplate(Arrays.asList(new FormHttpMessageConverter(), new OAuth2AccessTokenResponseHttpMessageConverter())); + restTemplate.setRequestFactory(requestFactory); + restTemplate.setErrorHandler(new OAuth2ErrorResponseErrorHandler()); + + final DefaultPasswordTokenResponseClient client = new DefaultPasswordTokenResponseClient(); + client.setRestOperations(restTemplate); + + builder.accessTokenResponseClient(client); + } + + @Override + public Class getObjectType() + { + return OAuth2Client.class; + } + + @Override + public boolean isSingleton() + { + return true; + } + + static class SpringOAuth2Client implements OAuth2Client + { + private static final String CLIENT_REGISTRATION_ID = "ids"; + private final Supplier authorizedClientManagerSupplier; + private final AtomicReference authorizedClientManager = new AtomicReference<>(); + + public SpringOAuth2Client(Supplier authorizedClientManagerSupplier) + { + this.authorizedClientManagerSupplier = Objects.requireNonNull(authorizedClientManagerSupplier); + } + + @Override + public void verifyCredentials(String userName, String password) + { + final OAuth2AuthorizedClientManager clientManager; + try + { + clientManager = getAuthorizedClientManager(); + } + catch (RuntimeException e) + { + LOGGER.warn("Failed to instantiate OAuth2AuthorizedClientManager.", e); + throw new CredentialsVerificationException("Unable to use the Authorization Server.", e); + } + + final OAuth2AuthorizedClient authorizedClient; + try + { + final OAuth2AuthorizeRequest authRequest = createPasswordCredentialsRequest(userName, password); + authorizedClient = clientManager.authorize(authRequest); + } + catch (OAuth2AuthorizationException e) + { + LOGGER.debug("Failed to authorize against Authorization Server. Reason: " + e.getError() + "."); + throw new CredentialsVerificationException("Authorization against the Authorization Server failed with " + e.getError() + ".", e); + } + catch (RuntimeException e) + { + LOGGER.warn("Failed to authorize against Authorization Server. Reason: " + e.getMessage()); + throw new CredentialsVerificationException("Failed to authorize against Authorization Server.", e); + } + + if (authorizedClient == null || authorizedClient.getAccessToken() == null) + { + throw new CredentialsVerificationException("Resource Owner Password Credentials is not supported by the Authorization Server."); + } + } + + private OAuth2AuthorizedClientManager getAuthorizedClientManager() + { + final OAuth2AuthorizedClientManager current = authorizedClientManager.get(); + if (current != null) + { + return current; + } + return authorizedClientManager + .updateAndGet(prev -> prev != null ? prev : authorizedClientManagerSupplier.get()); + } + + private OAuth2AuthorizeRequest createPasswordCredentialsRequest(String userName, String password) + { + return OAuth2AuthorizeRequest + .withClientRegistrationId(CLIENT_REGISTRATION_ID) + .principal(userName) + .attribute(OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME, userName) + .attribute(OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME, password) + .build(); + } + } + + private static class NoStoredAuthorizedClient implements OAuth2AuthorizedClientService + { + + @Override + public T loadAuthorizedClient(String clientRegistrationId, String principalName) + { + return null; + } + + @Override + public void saveAuthorizedClient(OAuth2AuthorizedClient authorizedClient, Authentication principal) + { + //do nothing + } + + @Override + public void removeAuthorizedClient(String clientRegistrationId, String principalName) + { + //do nothing + } + } + + private static class SingleClientRegistration implements ClientRegistrationRepository + { + private final ClientRegistration clientRegistration; + + private SingleClientRegistration(ClientRegistration clientRegistration) + { + this.clientRegistration = Objects.requireNonNull(clientRegistration); + } + + @Override + public ClientRegistration findByRegistrationId(String registrationId) + { + return Objects.equals(registrationId, clientRegistration.getRegistrationId()) ? clientRegistration : null; + } + } +} diff --git a/repository/src/main/resources/alfresco/subsystems/Authentication/identity-service/identity-service-authentication-context.xml b/repository/src/main/resources/alfresco/subsystems/Authentication/identity-service/identity-service-authentication-context.xml index 973ce2f4f8..e3b5d3e0fc 100644 --- a/repository/src/main/resources/alfresco/subsystems/Authentication/identity-service/identity-service-authentication-context.xml +++ b/repository/src/main/resources/alfresco/subsystems/Authentication/identity-service/identity-service-authentication-context.xml @@ -21,12 +21,12 @@ ${identity-service.authentication.allowGuestLogin} - - + + - + diff --git a/repository/src/test/java/org/alfresco/AllUnitTestsSuite.java b/repository/src/test/java/org/alfresco/AllUnitTestsSuite.java index 93487df811..969f70b60e 100644 --- a/repository/src/test/java/org/alfresco/AllUnitTestsSuite.java +++ b/repository/src/test/java/org/alfresco/AllUnitTestsSuite.java @@ -136,6 +136,7 @@ import org.junit.runners.Suite; org.alfresco.repo.search.impl.solr.facet.FacetQNameUtilsTest.class, org.alfresco.util.BeanExtenderUnitTest.class, org.alfresco.repo.solr.SOLRTrackingComponentUnitTest.class, + org.alfresco.repo.security.authentication.identityservice.SpringOAuth2ClientUnitTest.class, org.alfresco.repo.security.authentication.CompositePasswordEncoderTest.class, org.alfresco.repo.security.authentication.PasswordHashingTest.class, org.alfresco.repo.security.authority.script.ScriptAuthorityService_RegExTest.class, diff --git a/repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponentTest.java b/repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponentTest.java index 4366a9ff48..009e6ec7df 100644 --- a/repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponentTest.java +++ b/repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponentTest.java @@ -2,7 +2,7 @@ * #%L * Alfresco Repository * %% - * Copyright (C) 2005 - 2018 Alfresco Software Limited + * Copyright (C) 2005 - 2023 Alfresco Software Limited * %% * This file is part of the Alfresco software. * If the software was purchased under a paid Alfresco license, the terms of @@ -25,14 +25,17 @@ */ package org.alfresco.repo.security.authentication.identityservice; +import static org.mockito.Mockito.doNothing; +import static org.mockito.Mockito.doThrow; import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; import java.net.ConnectException; import org.alfresco.error.ExceptionStackUtil; import org.alfresco.repo.security.authentication.AuthenticationContext; import org.alfresco.repo.security.authentication.AuthenticationException; +import org.alfresco.repo.security.authentication.identityservice.IdentityServiceAuthenticationComponent.OAuth2Client; +import org.alfresco.repo.security.authentication.identityservice.IdentityServiceAuthenticationComponent.OAuth2Client.CredentialsVerificationException; import org.alfresco.repo.security.sync.UserRegistrySynchronizer; import org.alfresco.service.cmr.repository.NodeService; import org.alfresco.service.cmr.security.PersonService; @@ -41,9 +44,6 @@ import org.alfresco.util.BaseSpringTest; import org.junit.After; import org.junit.Before; import org.junit.Test; -import org.keycloak.authorization.client.AuthzClient; -import org.keycloak.authorization.client.util.HttpResponseException; -import org.keycloak.representations.AccessTokenResponse; import org.springframework.beans.factory.annotation.Autowired; public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest @@ -65,7 +65,7 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest @Autowired private PersonService personService; - private AuthzClient mockAuthzClient; + private OAuth2Client mockOAuth2Client; @Before public void setUp() @@ -76,8 +76,8 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest authComponent.setNodeService(nodeService); authComponent.setPersonService(personService); - mockAuthzClient = mock(AuthzClient.class); - authComponent.setAuthenticatorAuthzClient(mockAuthzClient); + mockOAuth2Client = mock(OAuth2Client.class); + authComponent.setOAuth2Client(mockOAuth2Client); } @After @@ -89,8 +89,9 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest @Test (expected=AuthenticationException.class) public void testAuthenticationFail() { - when(mockAuthzClient.obtainAccessToken("username", "password")) - .thenThrow(new HttpResponseException("Unauthorized", 401, "Unauthorized", null)); + doThrow(new CredentialsVerificationException("Failed")) + .when(mockOAuth2Client) + .verifyCredentials("username", "password"); authComponent.authenticateImpl("username", "password".toCharArray()); } @@ -98,8 +99,9 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest @Test(expected = AuthenticationException.class) public void testAuthenticationFail_connectionException() { - when(mockAuthzClient.obtainAccessToken("username", "password")).thenThrow( - new RuntimeException("Couldn't connect to server", new ConnectException("ConnectionRefused"))); + doThrow(new CredentialsVerificationException("Couldn't connect to server", new ConnectException("ConnectionRefused"))) + .when(mockOAuth2Client) + .verifyCredentials("username", "password"); try { @@ -116,8 +118,9 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest @Test (expected=AuthenticationException.class) public void testAuthenticationFail_otherException() { - when(mockAuthzClient.obtainAccessToken("username", "password")) - .thenThrow(new RuntimeException("Some other errors!")); + doThrow(new RuntimeException("Some other errors!")) + .when(mockOAuth2Client) + .verifyCredentials("username", "password"); authComponent.authenticateImpl("username", "password".toCharArray()); } @@ -125,8 +128,7 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest @Test public void testAuthenticationPass() { - when(mockAuthzClient.obtainAccessToken("username", "password")) - .thenReturn(new AccessTokenResponse()); + doNothing().when(mockOAuth2Client).verifyCredentials("username", "password"); authComponent.authenticateImpl("username", "password".toCharArray()); @@ -135,9 +137,9 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest } @Test (expected= AuthenticationException.class) - public void testFallthroughWhenAuthzClientIsNull() + public void testFallthroughWhenOAuth2ClientIsNull() { - authComponent.setAuthenticatorAuthzClient(null); + authComponent.setOAuth2Client(null); authComponent.authenticateImpl("username", "password".toCharArray()); } diff --git a/repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/SpringOAuth2ClientUnitTest.java b/repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/SpringOAuth2ClientUnitTest.java new file mode 100644 index 0000000000..551232d2d3 --- /dev/null +++ b/repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/SpringOAuth2ClientUnitTest.java @@ -0,0 +1,124 @@ +/* + * #%L + * Alfresco Repository + * %% + * Copyright (C) 2005 - 2023 Alfresco Software Limited + * %% + * This file is part of the Alfresco software. + * If the software was purchased under a paid Alfresco license, the terms of + * the paid license agreement will prevail. Otherwise, the software is + * provided under the following open source license terms: + * + * Alfresco is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * Alfresco is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with Alfresco. If not, see . + * #L% + */ +package org.alfresco.repo.security.authentication.identityservice; + +import static org.assertj.core.api.Assertions.assertThatExceptionOfType; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.ArgumentMatchers.argThat; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.verifyNoInteractions; +import static org.mockito.Mockito.when; + +import java.util.function.Supplier; + +import org.alfresco.repo.security.authentication.identityservice.IdentityServiceAuthenticationComponent.OAuth2Client.CredentialsVerificationException; +import org.alfresco.repo.security.authentication.identityservice.OAuth2ClientFactoryBean.SpringOAuth2Client; +import org.junit.Test; +import org.springframework.security.oauth2.client.OAuth2AuthorizedClient; +import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager; +import org.springframework.security.oauth2.core.OAuth2AccessToken; + +public class SpringOAuth2ClientUnitTest +{ + private static final String USER_NAME = "user"; + private static final String PASSWORD = "password"; + + @Test + public void shouldRecoverFromInitialAuthorizationServerUnavailability() + { + final OAuth2AuthorizedClient authorizedClient = mock(OAuth2AuthorizedClient.class); + when(authorizedClient.getAccessToken()).thenReturn(mock(OAuth2AccessToken.class)); + final OAuth2AuthorizedClientManager authClientManager = mock(OAuth2AuthorizedClientManager.class); + when(authClientManager.authorize(any())).thenReturn(authorizedClient); + + final SpringOAuth2Client client = new SpringOAuth2Client(faultySupplier(3, authClientManager)); + + assertThatExceptionOfType(CredentialsVerificationException.class) + .isThrownBy(() -> client.verifyCredentials(USER_NAME, PASSWORD)) + .havingCause().withNoCause().withMessage("Expected failure #1"); + verifyNoInteractions(authClientManager); + + assertThatExceptionOfType(CredentialsVerificationException.class) + .isThrownBy(() -> client.verifyCredentials(USER_NAME, PASSWORD)) + .havingCause().withNoCause().withMessage("Expected failure #2"); + verifyNoInteractions(authClientManager); + + assertThatExceptionOfType(CredentialsVerificationException.class) + .isThrownBy(() -> client.verifyCredentials(USER_NAME, PASSWORD)) + .havingCause().withNoCause().withMessage("Expected failure #3"); + verifyNoInteractions(authClientManager); + + client.verifyCredentials(USER_NAME, PASSWORD); + verify(authClientManager).authorize(argThat(r -> r.getPrincipal() != null && USER_NAME.equals(r.getPrincipal().getPrincipal()))); + } + + @Test + public void shouldThrowVerificationExceptionOnFailure() + { + final OAuth2AuthorizedClientManager authClientManager = mock(OAuth2AuthorizedClientManager.class); + when(authClientManager.authorize(any())).thenThrow(new RuntimeException("Expected")); + + final SpringOAuth2Client client = new SpringOAuth2Client(() -> authClientManager); + + assertThatExceptionOfType(CredentialsVerificationException.class) + .isThrownBy(() -> client.verifyCredentials(USER_NAME, PASSWORD)) + .havingCause().withNoCause().withMessage("Expected"); + } + + @Test + public void shouldAvoidCreatingMultipleInstanceOfOAuth2AuthorizedClientManager() + { + final OAuth2AuthorizedClient authorizedClient = mock(OAuth2AuthorizedClient.class); + when(authorizedClient.getAccessToken()).thenReturn(mock(OAuth2AccessToken.class)); + final OAuth2AuthorizedClientManager authClientManager = mock(OAuth2AuthorizedClientManager.class); + when(authClientManager.authorize(any())).thenReturn(authorizedClient); + final Supplier supplier = mock(Supplier.class); + when(supplier.get()).thenReturn(authClientManager); + + final SpringOAuth2Client client = new SpringOAuth2Client(supplier); + + client.verifyCredentials(USER_NAME, PASSWORD); + client.verifyCredentials(USER_NAME, PASSWORD); + client.verifyCredentials(USER_NAME, PASSWORD); + verify(supplier, times(1)).get(); + verify(authClientManager, times(3)).authorize(any()); + } + + private Supplier faultySupplier(int numberOfInitialFailures, OAuth2AuthorizedClientManager authClientManager) + { + final int[] counter = new int[]{0}; + return () -> { + if (counter[0]++ < numberOfInitialFailures) + { + throw new RuntimeException("Expected failure #" + counter[0]); + } + return authClientManager; + }; + } + +} \ No newline at end of file