Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor password grant #3165

Merged
merged 4 commits into from
Nov 29, 2024
Merged

Refactor password grant #3165

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
37b4dd7
Refactor password grant
strehle Nov 28, 2024
a799425
Merge remote-tracking branch 'origin/develop' into refactor/simplifyP…
strehle Nov 28, 2024
b01541d
review
strehle Nov 28, 2024
16142fe
Use and include test from (#3168)
strehle Nov 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 13 additions & 12 deletions .../cloudfoundry/identity/uaa/authentication/manager/PasswordGrantAuthenticationManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@
import org.cloudfoundry.identity.uaa.provider.OIDCIdentityProviderDefinition;
import org.cloudfoundry.identity.uaa.provider.oauth.ExternalOAuthAuthenticationManager;
import org.cloudfoundry.identity.uaa.provider.oauth.ExternalOAuthCodeToken;
import org.cloudfoundry.identity.uaa.provider.oauth.ExternalOAuthProviderConfigurator;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.ApplicationEvent;
Expand All @@ -45,6 +44,7 @@
import java.net.URL;
import java.util.*;
import java.util.function.Supplier;
import java.util.stream.Stream;

import static org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.GRANT_TYPE_PASSWORD;
import static org.springframework.http.MediaType.APPLICATION_JSON;
Expand All @@ -56,15 +56,13 @@ public class PasswordGrantAuthenticationManager implements AuthenticationManager
private IdentityProviderProvisioning identityProviderProvisioning;
private RestTemplateConfig restTemplateConfig;
private ExternalOAuthAuthenticationManager externalOAuthAuthenticationManager;
private ExternalOAuthProviderConfigurator externalOAuthProviderProvisioning;
private ApplicationEventPublisher eventPublisher;

public PasswordGrantAuthenticationManager(DynamicZoneAwareAuthenticationManager zoneAwareAuthzAuthenticationManager, final @Qualifier("identityProviderProvisioning") IdentityProviderProvisioning identityProviderProvisioning, RestTemplateConfig restTemplateConfig, ExternalOAuthAuthenticationManager externalOAuthAuthenticationManager, ExternalOAuthProviderConfigurator externalOAuthProviderProvisioning) {
public PasswordGrantAuthenticationManager(DynamicZoneAwareAuthenticationManager zoneAwareAuthzAuthenticationManager, final @Qualifier("identityProviderProvisioning") IdentityProviderProvisioning identityProviderProvisioning, RestTemplateConfig restTemplateConfig, ExternalOAuthAuthenticationManager externalOAuthAuthenticationManager) {
this.zoneAwareAuthzAuthenticationManager = zoneAwareAuthzAuthenticationManager;
this.identityProviderProvisioning = identityProviderProvisioning;
this.restTemplateConfig = restTemplateConfig;
this.externalOAuthAuthenticationManager = externalOAuthAuthenticationManager;
this.externalOAuthProviderProvisioning = externalOAuthProviderProvisioning;
}

@Override
Expand All @@ -73,7 +71,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
List<String> allowedProviders = getAllowedProviders();
String defaultProvider = IdentityZoneHolder.get().getConfig().getDefaultIdentityProvider();
UaaLoginHint loginHintToUse;
IdentityProvider<OIDCIdentityProviderDefinition> identityProvider = retrieveOidcPasswordIdp(uaaLoginHint, defaultProvider, allowedProviders);
IdentityProvider<?> identityProvider = retrievePasswordIdp(uaaLoginHint, defaultProvider, allowedProviders);
List<String> possibleProviders;
if (identityProvider != null) {
possibleProviders = List.of(identityProvider.getOriginKey());
Expand All @@ -87,7 +85,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
} else {
loginHintToUse = getUaaLoginHintForChainedAuth(possibleProviders);
if (identityProvider == null) {
identityProvider = retrieveOidcPasswordIdp(loginHintToUse, null, null);
identityProvider = retrievePasswordIdp(loginHintToUse, null, null);
}
}
} else {
Expand All @@ -109,12 +107,12 @@ public Authentication authenticate(Authentication authentication) throws Authent
}
}

private IdentityProvider<OIDCIdentityProviderDefinition> retrieveOidcPasswordIdp(UaaLoginHint loginHint, String defaultOrigin, List<String> allowedProviders) {
IdentityProvider<OIDCIdentityProviderDefinition> idp = null;
private IdentityProvider<?> retrievePasswordIdp(UaaLoginHint loginHint, String defaultOrigin, List<String> allowedProviders) {
IdentityProvider<?> idp = null;
String useOrigin = loginHint != null && loginHint.getOrigin() != null ? loginHint.getOrigin() : defaultOrigin;
if (useOrigin != null && !useOrigin.equalsIgnoreCase(OriginKeys.UAA) && !useOrigin.equalsIgnoreCase(OriginKeys.LDAP)) {
if (useOrigin != null) {
try {
IdentityProvider<OIDCIdentityProviderDefinition> retrievedByOrigin = externalOAuthProviderProvisioning.retrieveByOrigin(useOrigin,
IdentityProvider<?> retrievedByOrigin = identityProviderProvisioning.retrieveByOrigin(useOrigin,
IdentityZoneHolder.get().getId());
if (retrievedByOrigin != null && retrievedByOrigin.isActive() && retrievedByOrigin.getOriginKey().equals(useOrigin)
&& providerSupportsPasswordGrant(retrievedByOrigin) && (allowedProviders == null || allowedProviders.contains(useOrigin))) {
Expand Down Expand Up @@ -145,8 +143,11 @@ private UaaLoginHint getUaaLoginHintForChainedAuth(List<String> allowedProviders
return loginHintToUse;
}

Authentication oidcPasswordGrant(Authentication authentication, final IdentityProvider<OIDCIdentityProviderDefinition> identityProvider) {
final OIDCIdentityProviderDefinition config = identityProvider.getConfig();
Authentication oidcPasswordGrant(Authentication authentication, final IdentityProvider<?> identityProvider) {
final OIDCIdentityProviderDefinition config = Stream.of(identityProvider).
map(i -> i.getConfig()).
filter(OIDCIdentityProviderDefinition.class::isInstance).
map(OIDCIdentityProviderDefinition.class::cast).findFirst().orElseThrow(() -> new ProviderConfigurationException("Invalid identity provider type"));

//Token per RestCall
URL tokenUrl = config.getTokenUrl();
Expand Down
35 changes: 16 additions & 19 deletions ...udfoundry/identity/uaa/authentication/manager/PasswordGrantAuthenticationManagerTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@
import org.cloudfoundry.identity.uaa.provider.OIDCIdentityProviderDefinition;
import org.cloudfoundry.identity.uaa.provider.oauth.ExternalOAuthAuthenticationManager;
import org.cloudfoundry.identity.uaa.provider.oauth.ExternalOAuthCodeToken;
import org.cloudfoundry.identity.uaa.provider.oauth.ExternalOAuthProviderConfigurator;
import org.cloudfoundry.identity.uaa.util.AlphanumericRandomValueStringGenerator;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.junit.jupiter.api.AfterEach;
Expand Down Expand Up @@ -80,7 +79,6 @@ class PasswordGrantAuthenticationManagerTest {
private IdentityProviderProvisioning identityProviderProvisioning;
private RestTemplateConfig restTemplateConfig;
private ExternalOAuthAuthenticationManager externalOAuthAuthenticationManager;
private ExternalOAuthProviderConfigurator externalOAuthProviderConfigurator;
private ApplicationEventPublisher eventPublisher;

private IdentityProvider idp;
Expand All @@ -95,7 +93,6 @@ void setUp() throws Exception {
identityProviderProvisioning = mock(IdentityProviderProvisioning.class);
restTemplateConfig = mock(RestTemplateConfig.class);
externalOAuthAuthenticationManager = mock(ExternalOAuthAuthenticationManager.class);
externalOAuthProviderConfigurator = mock(ExternalOAuthProviderConfigurator.class);

idp = mock(IdentityProvider.class);
idpConfig = mock(OIDCIdentityProviderDefinition.class);
Expand All @@ -116,7 +113,7 @@ void setUp() throws Exception {
when(ldapProvider.getOriginKey()).thenReturn(OriginKeys.LDAP);

when(identityProviderProvisioning.retrieveActive("uaa")).thenReturn(Arrays.asList(idp, uaaProvider, ldapProvider));
when(externalOAuthProviderConfigurator.retrieveByOrigin("oidcprovider", "uaa")).thenReturn(idp);
when(identityProviderProvisioning.retrieveByOrigin("oidcprovider", "uaa")).thenReturn(idp);

Authentication clientAuth = mock(Authentication.class);
when(clientAuth.getName()).thenReturn("clientid");
Expand All @@ -125,7 +122,7 @@ void setUp() throws Exception {
when(clientAuth.getPrincipal()).thenReturn(uaaClient);
when(uaaClient.getAdditionalInformation()).thenReturn(mock(Map.class));

instance = new PasswordGrantAuthenticationManager(zoneAwareAuthzAuthenticationManager, identityProviderProvisioning, restTemplateConfig, externalOAuthAuthenticationManager, externalOAuthProviderConfigurator);
instance = new PasswordGrantAuthenticationManager(zoneAwareAuthzAuthenticationManager, identityProviderProvisioning, restTemplateConfig, externalOAuthAuthenticationManager);
IdentityZoneHolder.clear();
eventPublisher = mock(ApplicationEventPublisher.class);
instance.setApplicationEventPublisher(eventPublisher);
Expand All @@ -144,7 +141,7 @@ void testPasswordGrantNoLoginHint() {
instance.authenticate(auth);

verify(zoneAwareAuthzAuthenticationManager, times(1)).authenticate(auth);
verify(externalOAuthProviderConfigurator, times(0)).retrieveByOrigin(any(), any());
verify(identityProviderProvisioning, times(0)).retrieveByOrigin(any(), any());
verify(identityProviderProvisioning, times(1)).retrieveActive(any());
}

Expand Down Expand Up @@ -184,7 +181,7 @@ void testOIDCPasswordGrant() {
ArgumentCaptor<ExternalOAuthCodeToken> tokenArgumentCaptor = ArgumentCaptor.forClass(ExternalOAuthCodeToken.class);
verify(externalOAuthAuthenticationManager, times(1)).authenticate(tokenArgumentCaptor.capture());
verify(zoneAwareAuthzAuthenticationManager, times(0)).authenticate(any());
verify(externalOAuthProviderConfigurator, times(1)).retrieveByOrigin(any(), any());
verify(identityProviderProvisioning, times(1)).retrieveByOrigin(any(), any());
verify(identityProviderProvisioning, times(0)).retrieveActive(any());

HttpEntity httpEntity = httpEntityArgumentCaptor.getValue();
Expand Down Expand Up @@ -238,7 +235,7 @@ void testOIDCPasswordGrantWithForwardHeader() {
ArgumentCaptor<ExternalOAuthCodeToken> tokenArgumentCaptor = ArgumentCaptor.forClass(ExternalOAuthCodeToken.class);
verify(externalOAuthAuthenticationManager, times(1)).authenticate(tokenArgumentCaptor.capture());
verify(zoneAwareAuthzAuthenticationManager, times(0)).authenticate(any());
verify(externalOAuthProviderConfigurator, times(1)).retrieveByOrigin(any(), any());
verify(identityProviderProvisioning, times(1)).retrieveByOrigin(any(), any());
verify(identityProviderProvisioning, times(0)).retrieveActive(any());

HttpEntity httpEntity = httpEntityArgumentCaptor.getValue();
Expand Down Expand Up @@ -317,7 +314,7 @@ void testOIDCPasswordGrantProviderNotFoundInDB() {
when(loginHint.getOrigin()).thenReturn("oidcprovider2");
Authentication auth = mock(Authentication.class);
when(zoneAwareAuthzAuthenticationManager.extractLoginHint(auth)).thenReturn(loginHint);
when(externalOAuthProviderConfigurator.retrieveByOrigin(any(), any())).thenThrow(new EmptyResultDataAccessException(1));
when(identityProviderProvisioning.retrieveByOrigin(any(), any())).thenThrow(new EmptyResultDataAccessException(1));

try {
instance.authenticate(auth);
Expand All @@ -337,7 +334,7 @@ void testOIDCPasswordGrantProviderTypeNotOidc() {
when(localIdp.getType()).thenReturn(OriginKeys.SAML);

when(identityProviderProvisioning.retrieveActive("uaa")).thenReturn(Arrays.asList(uaaProvider, ldapProvider, localIdp));
when(externalOAuthProviderConfigurator.retrieveByOrigin("oidcprovider", "uaa")).thenReturn(localIdp);
when(identityProviderProvisioning.retrieveByOrigin("oidcprovider", "uaa")).thenReturn(localIdp);
UaaLoginHint loginHint = mock(UaaLoginHint.class);
when(loginHint.getOrigin()).thenReturn("oidcprovider");
Authentication auth = mock(Authentication.class);
Expand All @@ -362,7 +359,7 @@ void testOIDCPasswordGrantProviderDoesNotSupportPassword() {
when(idpConfig.isPasswordGrantEnabled()).thenReturn(false);

when(identityProviderProvisioning.retrieveActive("uaa")).thenReturn(Arrays.asList(uaaProvider, ldapProvider, localIdp));
when(externalOAuthProviderConfigurator.retrieveByOrigin("oidcprovider", "uaa")).thenReturn(localIdp);
when(identityProviderProvisioning.retrieveByOrigin("oidcprovider", "uaa")).thenReturn(localIdp);
UaaLoginHint loginHint = mock(UaaLoginHint.class);
when(loginHint.getOrigin()).thenReturn("oidcprovider");
Authentication auth = mock(Authentication.class);
Expand All @@ -387,7 +384,7 @@ void testOIDCPasswordGrantProviderNoRelyingPartyCredentials() {
when(idpConfig.isPasswordGrantEnabled()).thenReturn(true);

when(identityProviderProvisioning.retrieveActive("uaa")).thenReturn(Arrays.asList(uaaProvider, ldapProvider, localIdp));
when(externalOAuthProviderConfigurator.retrieveByOrigin("oidcprovider", "uaa")).thenReturn(localIdp);
when(identityProviderProvisioning.retrieveByOrigin("oidcprovider", "uaa")).thenReturn(localIdp);
UaaLoginHint loginHint = mock(UaaLoginHint.class);
when(loginHint.getOrigin()).thenReturn("oidcprovider");
Authentication auth = mock(Authentication.class);
Expand Down Expand Up @@ -540,7 +537,7 @@ void testOIDCPasswordGrantWithPrompts() {
ArgumentCaptor<ExternalOAuthCodeToken> tokenArgumentCaptor = ArgumentCaptor.forClass(ExternalOAuthCodeToken.class);
verify(externalOAuthAuthenticationManager, times(1)).authenticate(tokenArgumentCaptor.capture());
verify(zoneAwareAuthzAuthenticationManager, times(0)).authenticate(any());
verify(externalOAuthProviderConfigurator, times(1)).retrieveByOrigin(any(), any());
verify(identityProviderProvisioning, times(1)).retrieveByOrigin(any(), any());
verify(identityProviderProvisioning, times(0)).retrieveActive(any());

HttpEntity httpEntity = httpEntityArgumentCaptor.getValue();
Expand Down Expand Up @@ -671,7 +668,7 @@ void testOIDCPasswordGrant_NoLoginHintWithDefaultOIDC() {
ArgumentCaptor<ExternalOAuthCodeToken> tokenArgumentCaptor = ArgumentCaptor.forClass(ExternalOAuthCodeToken.class);
verify(externalOAuthAuthenticationManager, times(1)).authenticate(tokenArgumentCaptor.capture());
verify(zoneAwareAuthzAuthenticationManager, times(0)).authenticate(any());
verify(externalOAuthProviderConfigurator, times(1)).retrieveByOrigin(any(), any());
verify(identityProviderProvisioning, times(1)).retrieveByOrigin(any(), any());
verify(identityProviderProvisioning, times(0)).retrieveActive(any());

HttpEntity httpEntity = httpEntityArgumentCaptor.getValue();
Expand Down Expand Up @@ -718,7 +715,7 @@ void testOIDCPasswordGrant_LoginHintOidcOverridesDefaultUaa() {
verify(rt, times(1)).exchange(eq("http://localhost:8080/uaa/oauth/token"), eq(HttpMethod.POST), any(HttpEntity.class),eq(new ParameterizedTypeReference<Map<String,String>>(){}));
verify(externalOAuthAuthenticationManager, times(1)).authenticate(any(ExternalOAuthCodeToken.class));
verify(zoneAwareAuthzAuthenticationManager, times(0)).authenticate(any());
verify(externalOAuthProviderConfigurator, times(1)).retrieveByOrigin(any(), any());
verify(identityProviderProvisioning, times(1)).retrieveByOrigin(any(), any());
verify(identityProviderProvisioning, times(0)).retrieveActive(any());
}

Expand Down Expand Up @@ -764,7 +761,7 @@ void testOIDCPasswordGrant_NoLoginHintDefaultNotAllowedSingleIdpOIDC() {
verify(rt, times(1)).exchange(eq("http://localhost:8080/uaa/oauth/token"), eq(HttpMethod.POST), any(HttpEntity.class),eq(new ParameterizedTypeReference<Map<String,String>>(){}));
verify(externalOAuthAuthenticationManager, times(1)).authenticate(any(ExternalOAuthCodeToken.class));
verify(zoneAwareAuthzAuthenticationManager, times(0)).authenticate(any());
verify(externalOAuthProviderConfigurator, times(1)).retrieveByOrigin(any(), any());
verify(identityProviderProvisioning, atLeast(1)).retrieveByOrigin(any(), any());
verify(identityProviderProvisioning, times(1)).retrieveActive(any());
}

Expand All @@ -783,7 +780,7 @@ void testOIDCPasswordGrant_NoLoginHintDefaultNotAllowedSingleIdpDoesNotSupportPa
when(localIdp.getType()).thenReturn(OriginKeys.OIDC10);
when(idpConfig.isPasswordGrantEnabled()).thenReturn(false);
when(identityProviderProvisioning.retrieveActive("uaa")).thenReturn(Arrays.asList(uaaProvider, ldapProvider, localIdp));
when(externalOAuthProviderConfigurator.retrieveByOrigin("oidcprovider","uaa")).thenReturn(localIdp);
when(identityProviderProvisioning.retrieveByOrigin("oidcprovider","uaa")).thenReturn(localIdp);

try {
instance.authenticate(auth);
Expand Down Expand Up @@ -822,7 +819,7 @@ void testOIDCPasswordGrant_NoLoginHintDefaultNotAllowedChainedAuth() {

verify(zoneAwareAuthzAuthenticationManager, times(1)).authenticate(auth);
verify(zoneAwareAuthzAuthenticationManager, times(0)).setLoginHint(any(), any());
verify(externalOAuthProviderConfigurator, times(1)).retrieveByOrigin(any(), any());
verify(identityProviderProvisioning, times(1)).retrieveByOrigin(any(), any());
verify(identityProviderProvisioning, times(1)).retrieveActive(any());
}

Expand Down Expand Up @@ -877,7 +874,7 @@ void testPasswordGrant_NoLoginHintNoDefaultTriesChainedAuth() {

verify(zoneAwareAuthzAuthenticationManager, times(1)).authenticate(auth);
verify(zoneAwareAuthzAuthenticationManager, times(0)).setLoginHint(any(), any());
verify(externalOAuthProviderConfigurator, times(0)).retrieveByOrigin(any(), any());
verify(identityProviderProvisioning, times(0)).retrieveByOrigin(any(), any());
verify(identityProviderProvisioning, times(1)).retrieveActive(any());
}

Expand Down
Loading