From 24b8edcacc5952e5fd15a3b30501c296ce67ee7c Mon Sep 17 00:00:00 2001 From: "david.blasby" Date: Wed, 11 Dec 2024 08:23:11 -0800 Subject: [PATCH] changes for -Dqa --- .../gn4forwarding/Gn4SecurityToken.java | 49 ------------------- .../geonetwork/gn4forwarding/JwtSigning.java | 14 ++++-- .../SimpleJwtGn4SecurityHeaderAppender.java | 2 +- ...AbstractGn4SecurityHeaderAppenderTest.java | 16 +++--- .../gn4forwarding/JwtSigningTest.java | 4 +- ...impleJwtGn4SecurityHeaderAppenderTest.java | 2 +- 6 files changed, 21 insertions(+), 66 deletions(-) diff --git a/src/apps/geonetwork/src/main/java/org/geonetwork/gn4forwarding/Gn4SecurityToken.java b/src/apps/geonetwork/src/main/java/org/geonetwork/gn4forwarding/Gn4SecurityToken.java index 673eeee..7d9efb8 100644 --- a/src/apps/geonetwork/src/main/java/org/geonetwork/gn4forwarding/Gn4SecurityToken.java +++ b/src/apps/geonetwork/src/main/java/org/geonetwork/gn4forwarding/Gn4SecurityToken.java @@ -7,14 +7,10 @@ import com.fasterxml.jackson.annotation.JsonInclude; import com.fasterxml.jackson.annotation.JsonProperty; -import java.util.ArrayList; import java.util.Collection; import java.util.List; -import java.util.Objects; -import java.util.stream.Collectors; import lombok.Getter; import lombok.Setter; -import org.geonetwork.domain.Profile; import org.springframework.security.core.GrantedAuthority; /** @@ -30,9 +26,6 @@ public class Gn4SecurityToken { @JsonProperty private String username; - @JsonProperty - private List userGroupProfile; - /** * just puts in the username * @@ -47,51 +40,9 @@ public Gn4SecurityToken(String username) { * the "generic" user profile * * @param username GN4 username - * @param authorities authorities (from GN5 or external service) - * @param roles group-profile info */ public Gn4SecurityToken( String username, Collection authorities, List roles) { this.username = username; - if (roles != null) { - this.userGroupProfile = roles.stream() - .map(x -> x.getGroupName() + ":" + x.getProfile().toString()) - .collect(Collectors.toList()); - } - var profile = getBestMainProfile(authorities); - if (userGroupProfile == null) { - userGroupProfile = new ArrayList<>(); - } - userGroupProfile.add(profile); - } - - /** - * given a set of authorities (from spring security auth), find the "biggest" GN4/GN5 profile. global biggest = - * Administrator - * - * @param authorities - from GN Security Content () - * @return highest profile found (or RegisteredUser) - */ - private String getBestMainProfile(Collection authorities) { - if (authorities == null || authorities.isEmpty()) { - return "RegisteredUser"; - } - var profiles = authorities.stream() - .map(x -> { - var roleName = x.getAuthority(); - if (roleName.startsWith("ROLE_")) { - roleName = roleName.substring("ROLE_".length()); - } - var profile = Profile.findProfileIgnoreCase(roleName); - return profile; - }) - .filter(Objects::nonNull) - .toList(); - if (profiles.isEmpty()) { - return "RegisteredUser"; - } - @SuppressWarnings("EnumOrdinal") - var result = profiles.stream().map(Enum::ordinal).min(Integer::compare).get(); - return Profile.values()[result].name(); } } diff --git a/src/apps/geonetwork/src/main/java/org/geonetwork/gn4forwarding/JwtSigning.java b/src/apps/geonetwork/src/main/java/org/geonetwork/gn4forwarding/JwtSigning.java index 6b95807..c38ba89 100644 --- a/src/apps/geonetwork/src/main/java/org/geonetwork/gn4forwarding/JwtSigning.java +++ b/src/apps/geonetwork/src/main/java/org/geonetwork/gn4forwarding/JwtSigning.java @@ -11,13 +11,15 @@ import com.nimbusds.jose.crypto.RSASSASigner; import com.nimbusds.jwt.JWTClaimsSet; import com.nimbusds.jwt.SignedJWT; -import java.net.URL; +import java.net.URI; import java.security.KeyFactory; import java.security.PrivateKey; import java.security.PublicKey; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.security.spec.PKCS8EncodedKeySpec; +import java.time.Instant; +import java.time.temporal.ChronoUnit; import java.util.Base64; import java.util.Date; import org.apache.commons.io.IOUtils; @@ -42,7 +44,7 @@ public class JwtSigning { public static PrivateKey getPrivateKey(String url) throws Exception { String privateKeyBase64; - try (var stream = new URL(url).openStream()) { + try (var stream = new URI(url).toURL().openStream()) { privateKeyBase64 = IOUtils.toString(stream); } if (privateKeyBase64.startsWith("-----BEGIN PRIVATE KEY-----")) { @@ -61,7 +63,7 @@ public static PrivateKey getPrivateKey(String url) throws Exception { public static PublicKey getPublicKey(String url) throws Exception { CertificateFactory f = CertificateFactory.getInstance("X.509"); X509Certificate certificate; - try (var stream = new URL(url).openStream()) { + try (var stream = new URI(url).toURL().openStream()) { certificate = (X509Certificate) f.generateCertificate(stream); } return certificate.getPublicKey(); @@ -72,13 +74,15 @@ public static String createJWT(String privateKeyUrl, Gn4SecurityToken securityIn JWSSigner signer = new RSASSASigner(privateKey); + var expire = Instant.now().plus(1, ChronoUnit.HOURS); + JWTClaimsSet claimsSet = new JWTClaimsSet.Builder() .subject(securityInfo.getUsername()) .issuer(ISSUER) .audience(AUDIENCE) - .expirationTime(new Date(new Date().getTime() + 60 * 1000)) + .expirationTime(Date.from(expire)) .claim("username", securityInfo.getUsername()) - .claim("userGroupProfile", securityInfo.getUserGroupProfile()) + // .claim("userGroupProfile", securityInfo.getUserGroupProfile()) .build(); SignedJWT signedJWT = new SignedJWT( diff --git a/src/apps/geonetwork/src/main/java/org/geonetwork/gn4forwarding/SimpleJwtGn4SecurityHeaderAppender.java b/src/apps/geonetwork/src/main/java/org/geonetwork/gn4forwarding/SimpleJwtGn4SecurityHeaderAppender.java index c2004bc..3df2e1e 100644 --- a/src/apps/geonetwork/src/main/java/org/geonetwork/gn4forwarding/SimpleJwtGn4SecurityHeaderAppender.java +++ b/src/apps/geonetwork/src/main/java/org/geonetwork/gn4forwarding/SimpleJwtGn4SecurityHeaderAppender.java @@ -31,7 +31,7 @@ public class SimpleJwtGn4SecurityHeaderAppender extends AbstractGn4SecurityHeade * * @param token security info (i.e. username) * @param config filter config (see above). - * @return + * @return string to attach to header */ @Override protected String encodeToken(Gn4SecurityToken token, Map config) { diff --git a/src/apps/geonetwork/src/test/java/org/geonetwork/gn4forwarding/AbstractGn4SecurityHeaderAppenderTest.java b/src/apps/geonetwork/src/test/java/org/geonetwork/gn4forwarding/AbstractGn4SecurityHeaderAppenderTest.java index d1f5a56..5f065a6 100644 --- a/src/apps/geonetwork/src/test/java/org/geonetwork/gn4forwarding/AbstractGn4SecurityHeaderAppenderTest.java +++ b/src/apps/geonetwork/src/test/java/org/geonetwork/gn4forwarding/AbstractGn4SecurityHeaderAppenderTest.java @@ -56,7 +56,7 @@ protected String encodeToken(Gn4SecurityToken token, Map config) { * correct username (from the mocked request) 3. verifies that the token is set on the correct header in the new * request * - * @throws Exception + * @throws Exception error - test fail */ @Test public void testToken() throws Exception { @@ -70,7 +70,7 @@ protected String encodeToken(Gn4SecurityToken token, Map config) { }; var request = mockServerRequest(); - var config = new HashMap(); + var config = new HashMap(); config.put("headerName", "testcaseheadername"); var newrequest = abstractGn4SecurityHeaderAppender.execute_impl(request, config); @@ -84,7 +84,7 @@ protected String encodeToken(Gn4SecurityToken token, Map config) { /** * This tests to make sure the security header is removed for incoming requests. * - * @throws Exception + * @throws Exception error - test fail */ @Test public void testMaliciousHeader() throws Exception { @@ -98,7 +98,7 @@ protected String encodeToken(Gn4SecurityToken token, Map config) { }; var request = mockServerRequestMalicious(); - var config = new HashMap(); + var config = new HashMap(); config.put("headerName", "testcaseheadername"); assertFalse(request.headers().header("testcaseheadername").isEmpty()); @@ -113,8 +113,8 @@ protected String encodeToken(Gn4SecurityToken token, Map config) { /** * creates a mock request with a User (username = "testcase_dave"). * - * @return - * @throws Exception + * @return mocked request GN5 user "testcase_dave" + * @throws Exception error - test fail */ public ServerRequest mockServerRequest() throws Exception { var authorities = List.of(new SimpleGrantedAuthority("ROLE_USER")); @@ -145,8 +145,8 @@ public ServerRequest mockServerRequest() throws Exception { * creates a mock request without a user, but with the security header already set. This is a bit complex because we * need to add the header (not easy) as well as keep the session. * - * @return - * @throws Exception + * @return mocked request with illegal header from user + * @throws Exception error - test fail */ public ServerRequest mockServerRequestMalicious() throws Exception { diff --git a/src/apps/geonetwork/src/test/java/org/geonetwork/gn4forwarding/JwtSigningTest.java b/src/apps/geonetwork/src/test/java/org/geonetwork/gn4forwarding/JwtSigningTest.java index d624f8c..57a3483 100644 --- a/src/apps/geonetwork/src/test/java/org/geonetwork/gn4forwarding/JwtSigningTest.java +++ b/src/apps/geonetwork/src/test/java/org/geonetwork/gn4forwarding/JwtSigningTest.java @@ -53,7 +53,7 @@ public void setUp() throws Exception { /** * make sure you can read the private and public keys. * - * @throws Exception + * @throws Exception error - test fail */ @Test public void readKeys() throws Exception { @@ -79,7 +79,7 @@ public void readKeys() throws Exception { /** * tests signing, content of the JWT and makes sure that the signing can be verified. * - * @throws Exception + * @throws Exception error - test fail */ @Test public void testSigning() throws Exception { diff --git a/src/apps/geonetwork/src/test/java/org/geonetwork/gn4forwarding/SimpleJwtGn4SecurityHeaderAppenderTest.java b/src/apps/geonetwork/src/test/java/org/geonetwork/gn4forwarding/SimpleJwtGn4SecurityHeaderAppenderTest.java index 048192a..44c46fd 100644 --- a/src/apps/geonetwork/src/test/java/org/geonetwork/gn4forwarding/SimpleJwtGn4SecurityHeaderAppenderTest.java +++ b/src/apps/geonetwork/src/test/java/org/geonetwork/gn4forwarding/SimpleJwtGn4SecurityHeaderAppenderTest.java @@ -21,7 +21,7 @@ public void testEncode() { var encoder = new SimpleJwtGn4SecurityHeaderAppender(); var token = new Gn4SecurityToken("testcase_dave"); - var config = new HashMap(); + var config = new HashMap(); config.put("privateKeyUrl", "my privateKeyUrl"); config.put("keyId", "my keyId");