From 812866b95264300093152075b628d313f69385e7 Mon Sep 17 00:00:00 2001 From: Zach Wright Date: Thu, 23 May 2019 11:24:47 -0400 Subject: [PATCH 01/13] KPMP-1023: Change logic a bit --- .../java/org/kpmp/auth/AuthController.java | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/main/java/org/kpmp/auth/AuthController.java b/src/main/java/org/kpmp/auth/AuthController.java index c877f04..28fdd3c 100755 --- a/src/main/java/org/kpmp/auth/AuthController.java +++ b/src/main/java/org/kpmp/auth/AuthController.java @@ -58,26 +58,26 @@ public AuthController(ShibbolethUserService userService, UTF8Encoder encoder) { AuthResponse auth = new AuthResponse(); String token = (String) payload.get("token"); User user = new User(); - if (session != null) { - user = (User) session.getAttribute("user"); - token = JWT.create().withSubject(user.getId()) - .withExpiresAt(new Date(System.currentTimeMillis() + EXPIRATION_TIME)) - .sign(HMAC512(SECRET.getBytes())); - auth.setToken(token); - auth.setUser((User) session.getAttribute("user")); - session = null; - } else if (token != null) { + if (token != null) { try { DecodedJWT verifiedToken = JWT.require(Algorithm.HMAC512(SECRET.getBytes())) .build() .verify(token); auth.setToken(verifiedToken.getToken()); - //In the future, grab the user from the DB based on the ID stored in the JWT subject. + //In the future, grab the user from the DB based on the ID stored in the JWT subject. user.setId(verifiedToken.getSubject()); auth.setUser(user); } catch (JWTVerificationException exception) { auth.setToken(null); } + } else if (session != null) { + user = (User) session.getAttribute("user"); + token = JWT.create().withSubject(user.getId()) + .withExpiresAt(new Date(System.currentTimeMillis() + EXPIRATION_TIME)) + .sign(HMAC512(SECRET.getBytes())); + auth.setToken(token); + auth.setUser((User) session.getAttribute("user")); + session = null; } return auth; } From b92deae75f951019f05200eccee541d8f55df194 Mon Sep 17 00:00:00 2001 From: Zach Wright Date: Thu, 23 May 2019 14:45:11 -0400 Subject: [PATCH 02/13] KPMP-1023: Get session --- src/main/java/org/kpmp/auth/AuthController.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/kpmp/auth/AuthController.java b/src/main/java/org/kpmp/auth/AuthController.java index 28fdd3c..ad77fed 100755 --- a/src/main/java/org/kpmp/auth/AuthController.java +++ b/src/main/java/org/kpmp/auth/AuthController.java @@ -54,9 +54,10 @@ public AuthController(ShibbolethUserService userService, UTF8Encoder encoder) { @CrossOrigin @RequestMapping(value = "/auth") - public @ResponseBody AuthResponse getAuth(@RequestBody Map payload) throws IOException { + public @ResponseBody AuthResponse getAuth(@RequestBody Map payload, HttpSession httpSession) throws IOException { AuthResponse auth = new AuthResponse(); String token = (String) payload.get("token"); + session = httpSession; User user = new User(); if (token != null) { try { From 66de3279db46a1a4cd7db6aa1199e4b955b5a3aa Mon Sep 17 00:00:00 2001 From: Zach Wright Date: Thu, 23 May 2019 15:35:29 -0400 Subject: [PATCH 03/13] KPMP-1023: token check --- src/main/java/org/kpmp/auth/AuthController.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/kpmp/auth/AuthController.java b/src/main/java/org/kpmp/auth/AuthController.java index ad77fed..75b052f 100755 --- a/src/main/java/org/kpmp/auth/AuthController.java +++ b/src/main/java/org/kpmp/auth/AuthController.java @@ -54,12 +54,11 @@ public AuthController(ShibbolethUserService userService, UTF8Encoder encoder) { @CrossOrigin @RequestMapping(value = "/auth") - public @ResponseBody AuthResponse getAuth(@RequestBody Map payload, HttpSession httpSession) throws IOException { + public @ResponseBody AuthResponse getAuth(@RequestBody Map payload) throws IOException { AuthResponse auth = new AuthResponse(); String token = (String) payload.get("token"); - session = httpSession; User user = new User(); - if (token != null) { + if (!token.equals("null")) { try { DecodedJWT verifiedToken = JWT.require(Algorithm.HMAC512(SECRET.getBytes())) .build() From 7f361824012ebff12f038fdc813ad91030470095 Mon Sep 17 00:00:00 2001 From: Zach Wright Date: Thu, 23 May 2019 15:41:35 -0400 Subject: [PATCH 04/13] KPMP-1023: check for null --- src/main/java/org/kpmp/auth/AuthController.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/kpmp/auth/AuthController.java b/src/main/java/org/kpmp/auth/AuthController.java index 75b052f..cc441a4 100755 --- a/src/main/java/org/kpmp/auth/AuthController.java +++ b/src/main/java/org/kpmp/auth/AuthController.java @@ -58,7 +58,7 @@ public AuthController(ShibbolethUserService userService, UTF8Encoder encoder) { AuthResponse auth = new AuthResponse(); String token = (String) payload.get("token"); User user = new User(); - if (!token.equals("null")) { + if (token != null && !token.equals("null")) { try { DecodedJWT verifiedToken = JWT.require(Algorithm.HMAC512(SECRET.getBytes())) .build() From 4c9a2f5e21dc4d81360179be29f640f8c5dcc5ed Mon Sep 17 00:00:00 2001 From: Zach Wright Date: Thu, 23 May 2019 15:58:14 -0400 Subject: [PATCH 05/13] KPMP-1023: Check auth for null instead --- src/main/java/org/kpmp/auth/AuthController.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/kpmp/auth/AuthController.java b/src/main/java/org/kpmp/auth/AuthController.java index cc441a4..9552ab9 100755 --- a/src/main/java/org/kpmp/auth/AuthController.java +++ b/src/main/java/org/kpmp/auth/AuthController.java @@ -58,7 +58,7 @@ public AuthController(ShibbolethUserService userService, UTF8Encoder encoder) { AuthResponse auth = new AuthResponse(); String token = (String) payload.get("token"); User user = new User(); - if (token != null && !token.equals("null")) { + if (token != null) { try { DecodedJWT verifiedToken = JWT.require(Algorithm.HMAC512(SECRET.getBytes())) .build() @@ -70,7 +70,8 @@ public AuthController(ShibbolethUserService userService, UTF8Encoder encoder) { } catch (JWTVerificationException exception) { auth.setToken(null); } - } else if (session != null) { + } + if (session != null && auth.getToken() == null) { user = (User) session.getAttribute("user"); token = JWT.create().withSubject(user.getId()) .withExpiresAt(new Date(System.currentTimeMillis() + EXPIRATION_TIME)) From 6257056081cd94f1ae6b0c7b3f0b2f59065fb7ba Mon Sep 17 00:00:00 2001 From: Zach Wright Date: Fri, 24 May 2019 11:53:35 -0400 Subject: [PATCH 06/13] KPMP-1024: Put user object in JWT --- src/main/java/org/kpmp/auth/AuthController.java | 11 +++++------ .../java/org/kpmp/auth/ShibbolethUserService.java | 3 +++ src/main/java/users/User.java | 7 +++++++ 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/src/main/java/org/kpmp/auth/AuthController.java b/src/main/java/org/kpmp/auth/AuthController.java index 9552ab9..1497d42 100755 --- a/src/main/java/org/kpmp/auth/AuthController.java +++ b/src/main/java/org/kpmp/auth/AuthController.java @@ -12,6 +12,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; +import com.fasterxml.jackson.databind.ObjectMapper; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.CrossOrigin; @@ -46,8 +47,6 @@ public AuthController(ShibbolethUserService userService, UTF8Encoder encoder) { String redirectURL = request.getParameter("redirect"); session = httpSession; User user = userService.getUser(request, encoder); - //Setting the userID to the session ID for now, but in the future this should probably come from a DB. - user.setId(session.getId()); session.setAttribute("user", user); return new RedirectView(redirectURL); } @@ -57,15 +56,15 @@ public AuthController(ShibbolethUserService userService, UTF8Encoder encoder) { public @ResponseBody AuthResponse getAuth(@RequestBody Map payload) throws IOException { AuthResponse auth = new AuthResponse(); String token = (String) payload.get("token"); - User user = new User(); + User user; + ObjectMapper mapper = new ObjectMapper(); if (token != null) { try { DecodedJWT verifiedToken = JWT.require(Algorithm.HMAC512(SECRET.getBytes())) .build() .verify(token); auth.setToken(verifiedToken.getToken()); - //In the future, grab the user from the DB based on the ID stored in the JWT subject. - user.setId(verifiedToken.getSubject()); + user = mapper.readValue(verifiedToken.getClaim("user").asString(), User.class); auth.setUser(user); } catch (JWTVerificationException exception) { auth.setToken(null); @@ -74,7 +73,7 @@ public AuthController(ShibbolethUserService userService, UTF8Encoder encoder) { if (session != null && auth.getToken() == null) { user = (User) session.getAttribute("user"); token = JWT.create().withSubject(user.getId()) - .withExpiresAt(new Date(System.currentTimeMillis() + EXPIRATION_TIME)) + .withExpiresAt(new Date(System.currentTimeMillis() + EXPIRATION_TIME)).withClaim("user", user.toJson()) .sign(HMAC512(SECRET.getBytes())); auth.setToken(token); auth.setUser((User) session.getAttribute("user")); diff --git a/src/main/java/org/kpmp/auth/ShibbolethUserService.java b/src/main/java/org/kpmp/auth/ShibbolethUserService.java index 634a1ce..c23536c 100755 --- a/src/main/java/org/kpmp/auth/ShibbolethUserService.java +++ b/src/main/java/org/kpmp/auth/ShibbolethUserService.java @@ -20,12 +20,15 @@ public User getUser(HttpServletRequest request, UTF8Encoder encoder) throws Unsu String firstName = encoder.convertFromLatin1(value); value = handleNull(request.getHeader("sn")); String lastName = encoder.convertFromLatin1(value); + value = handleNull(request.getHeader("eppn")); + String userId = encoder.convertFromLatin1(value); User user = new User(); user.setDisplayName(displayName); user.setLastName(lastName); user.setFirstName(firstName); user.setEmail(email); + user.setId(userId); return user; } diff --git a/src/main/java/users/User.java b/src/main/java/users/User.java index 65aac0e..d9bca79 100755 --- a/src/main/java/users/User.java +++ b/src/main/java/users/User.java @@ -1,6 +1,8 @@ package users; import com.fasterxml.jackson.annotation.JsonPropertyOrder; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.ObjectMapper; @JsonPropertyOrder({ "id", "firstName", "lastName", "displayName", "email" }) public class User { @@ -59,4 +61,9 @@ public String toString() { ", displayName: " + displayName + ", email: " + email; } + + public String toJson() throws JsonProcessingException { + ObjectMapper mapper = new ObjectMapper(); + return mapper.writeValueAsString(this); + } } From b3050afc2e088b1bc63b75aa51db241ae9077a40 Mon Sep 17 00:00:00 2001 From: Zach Wright Date: Fri, 24 May 2019 13:05:35 -0400 Subject: [PATCH 07/13] KPMP-1024: Add some tests --- src/test/java/org/kpmp/auth/AuthResponseTest.java | 8 ++++++++ src/test/java/users/UserTest.java | 14 ++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/src/test/java/org/kpmp/auth/AuthResponseTest.java b/src/test/java/org/kpmp/auth/AuthResponseTest.java index 8d0193d..780e698 100755 --- a/src/test/java/org/kpmp/auth/AuthResponseTest.java +++ b/src/test/java/org/kpmp/auth/AuthResponseTest.java @@ -5,6 +5,7 @@ import org.junit.After; import org.junit.Before; import org.junit.Test; +import users.User; public class AuthResponseTest { @@ -27,5 +28,12 @@ public void testSetToken() throws Exception { assertEquals("token", authResponse.getToken()); } + @Test + public void testSetUser() throws Exception { + User user = new User(); + authResponse.setUser(user); + assertEquals(user, authResponse.getUser()); + } + } diff --git a/src/test/java/users/UserTest.java b/src/test/java/users/UserTest.java index b51f05b..c339b8b 100755 --- a/src/test/java/users/UserTest.java +++ b/src/test/java/users/UserTest.java @@ -63,4 +63,18 @@ public void testToString() { ", displayName: Space Oddity" + ", email: ziggy@mars.com", testUser.toString()); } + + @Test + public void testToJson() throws Exception{ + testUser.setId("12345"); + testUser.setDisplayName("Space Oddity"); + testUser.setFirstName("Ziggy"); + testUser.setLastName("Stardust"); + testUser.setEmail("ziggy@mars.com"); + assertEquals("{\"id\":\"12345\""+ + ",\"firstName\":\"Ziggy\"" + + ",\"lastName\":\"Stardust\"" + + ",\"displayName\":\"Space Oddity\"" + + ",\"email\":\"ziggy@mars.com\"}", testUser.toJson()); + } } From 66bfe83239eb09569237898f8d7c7106ba79aca6 Mon Sep 17 00:00:00 2001 From: Zach Wright Date: Fri, 24 May 2019 13:32:41 -0400 Subject: [PATCH 08/13] KPMP-1025: Remove userid --- src/main/java/users/User.java | 2 ++ src/test/java/users/UserTest.java | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/main/java/users/User.java b/src/main/java/users/User.java index d9bca79..4f682e5 100755 --- a/src/main/java/users/User.java +++ b/src/main/java/users/User.java @@ -1,5 +1,6 @@ package users; +import com.fasterxml.jackson.annotation.JsonIgnore; import com.fasterxml.jackson.annotation.JsonPropertyOrder; import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; @@ -13,6 +14,7 @@ public class User { private String displayName; private String email; + @JsonIgnore public String getId() { return id; } diff --git a/src/test/java/users/UserTest.java b/src/test/java/users/UserTest.java index c339b8b..cbc4b3a 100755 --- a/src/test/java/users/UserTest.java +++ b/src/test/java/users/UserTest.java @@ -71,8 +71,7 @@ public void testToJson() throws Exception{ testUser.setFirstName("Ziggy"); testUser.setLastName("Stardust"); testUser.setEmail("ziggy@mars.com"); - assertEquals("{\"id\":\"12345\""+ - ",\"firstName\":\"Ziggy\"" + + assertEquals("{\"firstName\":\"Ziggy\"" + ",\"lastName\":\"Stardust\"" + ",\"displayName\":\"Space Oddity\"" + ",\"email\":\"ziggy@mars.com\"}", testUser.toJson()); From 10076ab0eff7e30f04c31f11793360e1724abc2d Mon Sep 17 00:00:00 2001 From: Zach Wright Date: Tue, 28 May 2019 14:48:03 -0400 Subject: [PATCH 09/13] KPMP-1042: Generate secret randomly --- .../java/org/kpmp/auth/AuthController.java | 12 ++++----- .../java/org/kpmp/auth/SecurityConstants.java | 25 +++++++++++++++++-- 2 files changed, 29 insertions(+), 8 deletions(-) diff --git a/src/main/java/org/kpmp/auth/AuthController.java b/src/main/java/org/kpmp/auth/AuthController.java index 1497d42..413f70d 100755 --- a/src/main/java/org/kpmp/auth/AuthController.java +++ b/src/main/java/org/kpmp/auth/AuthController.java @@ -1,8 +1,6 @@ package org.kpmp.auth; import static com.auth0.jwt.algorithms.Algorithm.HMAC512; -import static org.kpmp.auth.SecurityConstants.EXPIRATION_TIME; -import static org.kpmp.auth.SecurityConstants.SECRET; import java.io.IOException; import java.io.UnsupportedEncodingException; @@ -35,11 +33,13 @@ public class AuthController { private HttpSession session; private ShibbolethUserService userService; private UTF8Encoder encoder; + private SecurityConstants securityConstants; @Autowired - public AuthController(ShibbolethUserService userService, UTF8Encoder encoder) { + public AuthController(ShibbolethUserService userService, UTF8Encoder encoder, SecurityConstants securityConstants) { this.userService = userService; this.encoder = encoder; + this.securityConstants = securityConstants; } @RequestMapping(value = "/login", method = RequestMethod.GET) @@ -60,7 +60,7 @@ public AuthController(ShibbolethUserService userService, UTF8Encoder encoder) { ObjectMapper mapper = new ObjectMapper(); if (token != null) { try { - DecodedJWT verifiedToken = JWT.require(Algorithm.HMAC512(SECRET.getBytes())) + DecodedJWT verifiedToken = JWT.require(Algorithm.HMAC512(securityConstants.getSecret())) .build() .verify(token); auth.setToken(verifiedToken.getToken()); @@ -73,8 +73,8 @@ public AuthController(ShibbolethUserService userService, UTF8Encoder encoder) { if (session != null && auth.getToken() == null) { user = (User) session.getAttribute("user"); token = JWT.create().withSubject(user.getId()) - .withExpiresAt(new Date(System.currentTimeMillis() + EXPIRATION_TIME)).withClaim("user", user.toJson()) - .sign(HMAC512(SECRET.getBytes())); + .withExpiresAt(new Date(System.currentTimeMillis() + securityConstants.EXPIRATION_TIME)).withClaim("user", user.toJson()) + .sign(HMAC512(securityConstants.getSecret())); auth.setToken(token); auth.setUser((User) session.getAttribute("user")); session = null; diff --git a/src/main/java/org/kpmp/auth/SecurityConstants.java b/src/main/java/org/kpmp/auth/SecurityConstants.java index 3ac607a..aca4daa 100755 --- a/src/main/java/org/kpmp/auth/SecurityConstants.java +++ b/src/main/java/org/kpmp/auth/SecurityConstants.java @@ -1,6 +1,27 @@ package org.kpmp.auth; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Scope; +import org.springframework.stereotype.Component; + +import java.util.Random; + +@Component +@Scope("singleton") public class SecurityConstants { - public static final String SECRET = "TubuleGlomerulusNephron"; - public static final long EXPIRATION_TIME = 28_800_000; // 8 hours + + private final byte[] secret; + public static final long EXPIRATION_TIME = 28_800_000; + + public SecurityConstants() { + Random random = new Random(); + byte[] secret = new byte[32]; + random.nextBytes(secret); + this.secret = secret; + } + + public byte[] getSecret() { + return secret; + } + } From 181699770c9f0cd7ffc7c206f7e6ff1e9c2c03f0 Mon Sep 17 00:00:00 2001 From: Zach Wright Date: Tue, 28 May 2019 15:50:46 -0400 Subject: [PATCH 10/13] KPMP-1042: Token service --- .../java/org/kpmp/auth/AuthController.java | 29 ++++------ src/main/java/org/kpmp/auth/TokenService.java | 53 +++++++++++++++++++ 2 files changed, 62 insertions(+), 20 deletions(-) create mode 100755 src/main/java/org/kpmp/auth/TokenService.java diff --git a/src/main/java/org/kpmp/auth/AuthController.java b/src/main/java/org/kpmp/auth/AuthController.java index 413f70d..6b4eeae 100755 --- a/src/main/java/org/kpmp/auth/AuthController.java +++ b/src/main/java/org/kpmp/auth/AuthController.java @@ -33,13 +33,13 @@ public class AuthController { private HttpSession session; private ShibbolethUserService userService; private UTF8Encoder encoder; - private SecurityConstants securityConstants; + private TokenService tokenService; @Autowired - public AuthController(ShibbolethUserService userService, UTF8Encoder encoder, SecurityConstants securityConstants) { + public AuthController(ShibbolethUserService userService, UTF8Encoder encoder, TokenService tokenService) { this.userService = userService; this.encoder = encoder; - this.securityConstants = securityConstants; + this.tokenService = tokenService; } @RequestMapping(value = "/login", method = RequestMethod.GET) @@ -55,29 +55,18 @@ public AuthController(ShibbolethUserService userService, UTF8Encoder encoder, Se @RequestMapping(value = "/auth") public @ResponseBody AuthResponse getAuth(@RequestBody Map payload) throws IOException { AuthResponse auth = new AuthResponse(); - String token = (String) payload.get("token"); + String tokenString = (String) payload.get("token"); User user; ObjectMapper mapper = new ObjectMapper(); - if (token != null) { - try { - DecodedJWT verifiedToken = JWT.require(Algorithm.HMAC512(securityConstants.getSecret())) - .build() - .verify(token); - auth.setToken(verifiedToken.getToken()); - user = mapper.readValue(verifiedToken.getClaim("user").asString(), User.class); - auth.setUser(user); - } catch (JWTVerificationException exception) { - auth.setToken(null); - } + if (tokenString != null) { + DecodedJWT verifiedToken = tokenService.verifyToken(tokenString); + user = tokenService.getUserFromToken(verifiedToken); } if (session != null && auth.getToken() == null) { user = (User) session.getAttribute("user"); - token = JWT.create().withSubject(user.getId()) - .withExpiresAt(new Date(System.currentTimeMillis() + securityConstants.EXPIRATION_TIME)).withClaim("user", user.toJson()) - .sign(HMAC512(securityConstants.getSecret())); - auth.setToken(token); + tokenString = tokenService.buildTokenWithUser(user); + auth.setToken(tokenString); auth.setUser((User) session.getAttribute("user")); - session = null; } return auth; } diff --git a/src/main/java/org/kpmp/auth/TokenService.java b/src/main/java/org/kpmp/auth/TokenService.java new file mode 100755 index 0000000..abc815f --- /dev/null +++ b/src/main/java/org/kpmp/auth/TokenService.java @@ -0,0 +1,53 @@ +package org.kpmp.auth; + +import com.fasterxml.jackson.databind.ObjectMapper; +import com.auth0.jwt.JWT; +import com.auth0.jwt.algorithms.Algorithm; +import com.auth0.jwt.exceptions.JWTVerificationException; +import com.auth0.jwt.interfaces.DecodedJWT; +import com.fasterxml.jackson.core.JsonProcessingException; +import org.springframework.stereotype.Service; +import users.User; + +import java.io.IOException; +import java.util.Date; + +import static com.auth0.jwt.algorithms.Algorithm.HMAC512; + +@Service +public class TokenService { + + private SecurityConstants securityConstants; + + public TokenService(SecurityConstants securityConstants) { + this.securityConstants = securityConstants; + } + + public String buildTokenWithUser(User user) throws JsonProcessingException { + return JWT.create().withSubject(user.getId()) + .withExpiresAt(new Date(System.currentTimeMillis() + securityConstants.EXPIRATION_TIME)).withClaim("user", user.toJson()) + .sign(HMAC512(securityConstants.getSecret())); + + } + + public DecodedJWT verifyToken(String token) { + try { + return JWT.require(Algorithm.HMAC512(securityConstants.getSecret())) + .build() + .verify(token); + + } catch (JWTVerificationException exception) { + return null; + } + } + + public User getUserFromToken(DecodedJWT verifiedToken) { + ObjectMapper mapper = new ObjectMapper(); + try { + return mapper.readValue(verifiedToken.getClaim("user").asString(), User.class); + } catch (IOException e) { + return null; + } + } + +} From b8b18952c955f0becd95f6ce159fcb9fbc6a7c8b Mon Sep 17 00:00:00 2001 From: Zach Wright Date: Wed, 29 May 2019 10:07:57 -0400 Subject: [PATCH 11/13] KPMP-1042: Check for null --- src/main/java/org/kpmp/auth/AuthController.java | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/main/java/org/kpmp/auth/AuthController.java b/src/main/java/org/kpmp/auth/AuthController.java index 6b4eeae..5f83105 100755 --- a/src/main/java/org/kpmp/auth/AuthController.java +++ b/src/main/java/org/kpmp/auth/AuthController.java @@ -56,18 +56,21 @@ public AuthController(ShibbolethUserService userService, UTF8Encoder encoder, To public @ResponseBody AuthResponse getAuth(@RequestBody Map payload) throws IOException { AuthResponse auth = new AuthResponse(); String tokenString = (String) payload.get("token"); - User user; - ObjectMapper mapper = new ObjectMapper(); if (tokenString != null) { DecodedJWT verifiedToken = tokenService.verifyToken(tokenString); - user = tokenService.getUserFromToken(verifiedToken); + if (verifiedToken != null) { + auth.setToken(verifiedToken.getToken()); + auth.setUser(tokenService.getUserFromToken(verifiedToken)); + } } + if (session != null && auth.getToken() == null) { - user = (User) session.getAttribute("user"); + User user = (User) session.getAttribute("user"); tokenString = tokenService.buildTokenWithUser(user); auth.setToken(tokenString); - auth.setUser((User) session.getAttribute("user")); + auth.setUser(user); } + return auth; } From 947acca397c3fe03027cd8a1a29c639f64f18bee Mon Sep 17 00:00:00 2001 From: Zach Wright Date: Wed, 29 May 2019 13:19:51 -0400 Subject: [PATCH 12/13] KPMP-1042: Add some tests --- .../java/org/kpmp/auth/AuthController.java | 1 + src/main/java/org/kpmp/auth/TokenService.java | 1 - .../org/kpmp/auth/SecurityConstantsTest.java | 28 ++++++++++ .../java/org/kpmp/auth/TokenServiceTest.java | 54 +++++++++++++++++++ 4 files changed, 83 insertions(+), 1 deletion(-) create mode 100755 src/test/java/org/kpmp/auth/SecurityConstantsTest.java create mode 100755 src/test/java/org/kpmp/auth/TokenServiceTest.java diff --git a/src/main/java/org/kpmp/auth/AuthController.java b/src/main/java/org/kpmp/auth/AuthController.java index 5f83105..e11f216 100755 --- a/src/main/java/org/kpmp/auth/AuthController.java +++ b/src/main/java/org/kpmp/auth/AuthController.java @@ -69,6 +69,7 @@ public AuthController(ShibbolethUserService userService, UTF8Encoder encoder, To tokenString = tokenService.buildTokenWithUser(user); auth.setToken(tokenString); auth.setUser(user); + session = null; } return auth; diff --git a/src/main/java/org/kpmp/auth/TokenService.java b/src/main/java/org/kpmp/auth/TokenService.java index abc815f..f0cb755 100755 --- a/src/main/java/org/kpmp/auth/TokenService.java +++ b/src/main/java/org/kpmp/auth/TokenService.java @@ -27,7 +27,6 @@ public String buildTokenWithUser(User user) throws JsonProcessingException { return JWT.create().withSubject(user.getId()) .withExpiresAt(new Date(System.currentTimeMillis() + securityConstants.EXPIRATION_TIME)).withClaim("user", user.toJson()) .sign(HMAC512(securityConstants.getSecret())); - } public DecodedJWT verifyToken(String token) { diff --git a/src/test/java/org/kpmp/auth/SecurityConstantsTest.java b/src/test/java/org/kpmp/auth/SecurityConstantsTest.java new file mode 100755 index 0000000..6187bfd --- /dev/null +++ b/src/test/java/org/kpmp/auth/SecurityConstantsTest.java @@ -0,0 +1,28 @@ +package org.kpmp.auth; + +import org.junit.After; +import org.junit.Before; +import org.junit.Test; + +import static org.junit.Assert.assertEquals; + +public class SecurityConstantsTest { + + private SecurityConstants securityConstants; + + @Before + public void setUp() throws Exception { + securityConstants = new SecurityConstants(); + } + + @After + public void tearDown() throws Exception { + securityConstants = null; + } + + @Test + public void testGetSecret() { + assertEquals(securityConstants.getSecret().length, 32); + } + +} diff --git a/src/test/java/org/kpmp/auth/TokenServiceTest.java b/src/test/java/org/kpmp/auth/TokenServiceTest.java new file mode 100755 index 0000000..297b4a7 --- /dev/null +++ b/src/test/java/org/kpmp/auth/TokenServiceTest.java @@ -0,0 +1,54 @@ +package org.kpmp.auth; + +import com.auth0.jwt.interfaces.DecodedJWT; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.mockito.Mock; +import org.mockito.MockitoAnnotations; +import users.User; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNotNull; +import static org.mockito.Mockito.when; + +public class TokenServiceTest { + + private TokenService tokenService; + @Mock + private SecurityConstants securityConstants; + + + @Before + public void setUp() throws Exception { + MockitoAnnotations.initMocks(this); + tokenService = new TokenService(securityConstants); + } + + @After + public void tearDown() throws Exception { + tokenService = null; + } + + @Test + public void testBuildandVerifyToken() throws Exception { + when(securityConstants.getSecret()).thenReturn("GiveMeTheInfinityStones".getBytes()); + User user = new User(); + user.setId("123"); + user.setDisplayName("Thanos the Great"); + user.setEmail("bigguy@titan.com"); + user.setFirstName("Thanos"); + user.setLastName("Smith"); + String token = tokenService.buildTokenWithUser(user); + assertNotNull(token); + DecodedJWT verifiedToken = tokenService.verifyToken(token); + assertNotNull(verifiedToken); + User userFromJWT = tokenService.getUserFromToken(verifiedToken); + assertEquals(userFromJWT.getDisplayName(), user.getDisplayName()); + assertEquals(userFromJWT.getEmail(), user.getEmail()); + assertEquals(userFromJWT.getFirstName(), user.getFirstName()); + assertEquals(userFromJWT.getLastName(), user.getLastName()); + assertEquals(verifiedToken.getSubject(), user.getId()); + } + +} From 42b8bcf0925060006bc0cb8548fa8a20261d7dea Mon Sep 17 00:00:00 2001 From: Zach Wright Date: Wed, 29 May 2019 13:57:42 -0400 Subject: [PATCH 13/13] KPMP-1042: Travis --- .travis.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..682fce1 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,15 @@ +language: java + +jdk: + - oraclejdk8 + +install: true + +script: + - ./gradlew build + +notifications: + email: + - rlreamy@umich.edu + - zwright@umich.edu + - rossmith@umich.edu