diff --git a/spring-cloud-config-client/pom.xml b/spring-cloud-config-client/pom.xml index 5b991d98ba..43119e4127 100644 --- a/spring-cloud-config-client/pom.xml +++ b/spring-cloud-config-client/pom.xml @@ -21,6 +21,10 @@ ]]> + + 3.0.5 + + org.springframework.boot @@ -80,6 +84,11 @@ spring-boot-autoconfigure-processor true + + com.github.ulisesbocchio + jasypt-spring-boot + ${jasypt-spring-boot.version} + org.springframework.boot spring-boot-starter-test @@ -95,6 +104,16 @@ spring-cloud-test-support test + + com.squareup.okhttp3 + okhttp + test + + + com.squareup.okhttp3 + mockwebserver + test + diff --git a/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/AccessTokenResponse.java b/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/AccessTokenResponse.java new file mode 100644 index 0000000000..371603b357 --- /dev/null +++ b/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/AccessTokenResponse.java @@ -0,0 +1,53 @@ +/* + * Copyright 2013-2019 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.cloud.config.client; + +import com.fasterxml.jackson.annotation.JsonProperty; + +/** + * @author Bruce Randall + * + */ +public class AccessTokenResponse { + + @JsonProperty("access_token") + private String accessToken; + + @JsonProperty("token_type") + private String tokenType; + + public String getAccessToken() { + return accessToken; + } + + public void setAccessToken(String accessToken) { + this.accessToken = accessToken; + } + + public String getTokenType() { + return tokenType; + } + + public void setTokenType(String tokenType) { + this.tokenType = tokenType; + } + + public String getBearerHeader() { + return getTokenType() + " " + getAccessToken(); + } + +} diff --git a/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/ConfigClientOAuth2Properties.java b/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/ConfigClientOAuth2Properties.java new file mode 100644 index 0000000000..4b62f62ff5 --- /dev/null +++ b/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/ConfigClientOAuth2Properties.java @@ -0,0 +1,118 @@ +/* + * Copyright 2013-2019 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.cloud.config.client; + +import org.springframework.boot.context.properties.ConfigurationProperties; + +/** + * @author Bruce Randall + * + */ +@ConfigurationProperties(ConfigClientOAuth2Properties.PREFIX) +public class ConfigClientOAuth2Properties { + + /** + * Prefix for Spring Cloud Config properties. + */ + public static final String PREFIX = "spring.cloud.config.oauth2"; + + /** + * The OAuth2 token URI of the IDP issuing JWT tokens. When present enables OAuth2 + * client calls. + */ + private String tokenUri; + + /** + * The OAuth2 grant type (client_credentials, password). + */ + private String grantType; + + /** + * The OAuth2 client id should it be needed in JWT token request. + */ + private String clientId; + + /** + * The OAuth2 client secret should it be needed in JWT token request. + */ + private String clientSecret; + + /** + * The OAuth2 username to use when contacting the IDP. + */ + private String oauthUsername; + + /** + * The OAuth2 user password to use when contacting the IDP. + */ + private String oauthPassword; + + public String getTokenUri() { + return tokenUri; + } + + public void setTokenUri(String tokenUri) { + this.tokenUri = tokenUri; + } + + public String getGrantType() { + return grantType; + } + + public void setGrantType(String grantType) { + this.grantType = grantType; + } + + public String getClientId() { + return clientId; + } + + public void setClientId(String clientId) { + this.clientId = clientId; + } + + public String getClientSecret() { + return clientSecret; + } + + public void setClientSecret(String clientSecret) { + this.clientSecret = clientSecret; + } + + public String getOauthUsername() { + return oauthUsername; + } + + public void setOauthUsername(String oauthUsername) { + this.oauthUsername = oauthUsername; + } + + public String getOauthPassword() { + return oauthPassword; + } + + public void setOauthPassword(String oauthPassword) { + this.oauthPassword = oauthPassword; + } + + @Override + public String toString() { + return "ConfigClientOAuth2Properties{" + "tokenUri='" + tokenUri + '\'' + ", grantType='" + grantType + '\'' + + ", clientId='" + clientId + '\'' + ", oauthUsername='" + oauthUsername + '\'' + '}'; + } + +} diff --git a/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/ConfigClientProperties.java b/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/ConfigClientProperties.java index 7257af94ab..78c74aa52a 100644 --- a/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/ConfigClientProperties.java +++ b/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/ConfigClientProperties.java @@ -117,6 +117,16 @@ public class ConfigClientProperties { */ private String password; + /** + * OAUTH2 Properties. + */ + private ConfigClientOAuth2Properties configClientOAuth2Properties; + + /** + * Encryption properties. + */ + private EncryptorConfig encryptorConfig; + /** * The URI of the remote server (default http://localhost:8888). */ @@ -248,6 +258,22 @@ public void setPassword(String password) { this.password = password; } + public ConfigClientOAuth2Properties getConfigClientOAuth2Properties() { + return configClientOAuth2Properties; + } + + public void setConfigClientOAuth2Properties(ConfigClientOAuth2Properties configClientOAuth2Properties) { + this.configClientOAuth2Properties = configClientOAuth2Properties; + } + + public EncryptorConfig getEncryptorConfig() { + return encryptorConfig; + } + + public void setEncryptorConfig(EncryptorConfig encryptorConfig) { + this.encryptorConfig = encryptorConfig; + } + public Credentials getCredentials(int index) { return extractCredentials(index); } @@ -391,7 +417,7 @@ private Credentials getUsernamePassword() { return credentials; } - public ConfigClientProperties override(org.springframework.core.env.Environment environment) { + public ConfigClientProperties override(Environment environment) { ConfigClientProperties override = new ConfigClientProperties(); BeanUtils.copyProperties(this, override); override.setName(environment.resolvePlaceholders(NAME_PLACEHOLDER)); diff --git a/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/ConfigClientRequestTemplateFactory.java b/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/ConfigClientRequestTemplateFactory.java index 44f7c8ef21..d372d62f28 100644 --- a/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/ConfigClientRequestTemplateFactory.java +++ b/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/ConfigClientRequestTemplateFactory.java @@ -18,13 +18,18 @@ import java.io.IOException; import java.security.GeneralSecurityException; -import java.util.Arrays; +import java.util.Base64; import java.util.HashMap; +import java.util.List; import java.util.Map; +import java.util.Optional; import java.util.concurrent.TimeUnit; import javax.net.ssl.SSLContext; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.DeserializationFeature; +import com.fasterxml.jackson.databind.ObjectMapper; import org.apache.commons.logging.Log; import org.apache.hc.client5.http.classic.HttpClient; import org.apache.hc.client5.http.impl.classic.HttpClients; @@ -35,15 +40,19 @@ import org.apache.hc.core5.util.Timeout; import org.springframework.cloud.configuration.SSLContextFactory; +import org.springframework.http.HttpEntity; import org.springframework.http.HttpHeaders; import org.springframework.http.HttpRequest; +import org.springframework.http.MediaType; import org.springframework.http.client.ClientHttpRequestExecution; import org.springframework.http.client.ClientHttpRequestFactory; import org.springframework.http.client.ClientHttpRequestInterceptor; import org.springframework.http.client.ClientHttpResponse; import org.springframework.http.client.HttpComponentsClientHttpRequestFactory; import org.springframework.http.client.SimpleClientHttpRequestFactory; -import org.springframework.util.Base64Utils; +import org.springframework.util.LinkedMultiValueMap; +import org.springframework.util.MultiValueMap; +import org.springframework.util.StringUtils; import org.springframework.web.client.RestTemplate; import static org.springframework.cloud.config.client.ConfigClientProperties.AUTHORIZATION; @@ -52,11 +61,14 @@ public class ConfigClientRequestTemplateFactory { private final Log log; + private EncryptorConfig encryptorConfig; + private final ConfigClientProperties properties; public ConfigClientRequestTemplateFactory(Log log, ConfigClientProperties properties) { this.log = log; this.properties = properties; + this.encryptorConfig = properties.getEncryptorConfig(); } public Log getLog() { @@ -79,13 +91,63 @@ public RestTemplate create() { RestTemplate template = new RestTemplate(requestFactory); Map headers = new HashMap<>(properties.getHeaders()); headers.remove(AUTHORIZATION); // To avoid redundant addition of header - if (!headers.isEmpty()) { - template.setInterceptors(Arrays.asList(new GenericRequestHeaderInterceptor(headers))); + + if (properties.getConfigClientOAuth2Properties() != null) { + Optional responseOpt = getOAuthToken(template, + properties.getConfigClientOAuth2Properties().getTokenUri()); + if (responseOpt.isPresent()) { + AccessTokenResponse accessTokenResponse = responseOpt.get(); + headers.put(AUTHORIZATION, accessTokenResponse.getBearerHeader()); + properties.setHeaders(headers); + } } return template; } + private Optional getOAuthToken(RestTemplate template, String tokenUri) { + ConfigClientOAuth2Properties oauth2Properties = properties.getConfigClientOAuth2Properties(); + if (oauth2Properties.getGrantType() == null) { + throw new IllegalStateException("OAuth2 Grant Type property required."); + } + HttpHeaders httpHeaders = new HttpHeaders(); + httpHeaders.setContentType(MediaType.APPLICATION_FORM_URLENCODED); + MultiValueMap map = new LinkedMultiValueMap<>(); + map.put("grant_type", List.of(oauth2Properties.getGrantType())); + if (StringUtils.hasText(oauth2Properties.getClientId())) { + map.put("client_id", List.of(oauth2Properties.getClientId())); + map.put("client_secret", List.of(decryptProperty(oauth2Properties.getClientSecret()))); + } + if (StringUtils.hasText(oauth2Properties.getOauthUsername())) { + map.put("username", List.of(oauth2Properties.getOauthUsername())); + map.put("password", List.of(decryptProperty(oauth2Properties.getOauthPassword()))); + } + HttpEntity> requestBodyFormUrlEncoded = new HttpEntity<>(map, httpHeaders); + + String tokenJson = template.postForObject(tokenUri, requestBodyFormUrlEncoded, String.class); + return parseTokenResponse(tokenJson); + } + + private String decryptProperty(String property) { + if (encryptorConfig != null) { + return encryptorConfig.decryptProperty(property); + } + else { + return property; + } + } + + private Optional parseTokenResponse(String tokenJson) { + try { + ObjectMapper objectMapper = new ObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, + false); + return Optional.of(objectMapper.readValue(tokenJson, AccessTokenResponse.class)); + } + catch (JsonProcessingException e) { + return Optional.empty(); + } + } + protected ClientHttpRequestFactory createHttpRequestFactory(ConfigClientProperties client) { if (client.getTls().isEnabled()) { try { @@ -137,7 +199,7 @@ public void addAuthorizationToken(HttpHeaders httpHeaders, String username, Stri } if (password != null) { - byte[] token = Base64Utils.encode((username + ":" + password).getBytes()); + byte[] token = Base64.getEncoder().encode((username + ":" + password).getBytes()); httpHeaders.add("Authorization", "Basic " + new String(token)); } else if (authorization != null) { @@ -161,7 +223,9 @@ public GenericRequestHeaderInterceptor(Map headers) { public ClientHttpResponse intercept(HttpRequest request, byte[] body, ClientHttpRequestExecution execution) throws IOException { for (Map.Entry header : this.headers.entrySet()) { - request.getHeaders().add(header.getKey(), header.getValue()); + if (!request.getHeaders().containsKey(HttpHeaders.AUTHORIZATION)) { + request.getHeaders().add(header.getKey(), header.getValue()); + } } return execution.execute(request, body); } diff --git a/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/ConfigServerConfigDataLoader.java b/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/ConfigServerConfigDataLoader.java index 7a4eda8a8a..3a99e80525 100644 --- a/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/ConfigServerConfigDataLoader.java +++ b/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/ConfigServerConfigDataLoader.java @@ -49,6 +49,7 @@ import org.springframework.http.HttpStatus; import org.springframework.http.MediaType; import org.springframework.http.ResponseEntity; +import org.springframework.http.client.ClientHttpRequestInterceptor; import org.springframework.util.StringUtils; import org.springframework.web.client.HttpClientErrorException; import org.springframework.web.client.HttpServerErrorException; @@ -264,7 +265,6 @@ protected Environment getRemoteEnvironment(ConfigDataLoaderContext context, Conf String path = "/{name}/{profile}"; String name = properties.getName(); String profile = resource.getProfiles(); - String token = properties.getToken(); String[] uris; boolean discoveryEnabled = properties.getDiscovery().isEnabled(); ConfigClientProperties bootstrapConfigClientProperties = context.getBootstrapContext() @@ -319,12 +319,21 @@ protected Environment getRemoteEnvironment(ConfigDataLoaderContext context, Conf HttpHeaders headers = new HttpHeaders(); headers.setAccept(acceptHeader); requestTemplateFactory.addAuthorizationToken(headers, username, password); - if (StringUtils.hasText(token)) { - headers.add(TOKEN_HEADER, token); - } if (StringUtils.hasText(state) && properties.isSendState()) { headers.add(STATE_HEADER, state); } + if (properties.getConfigClientOAuth2Properties() != null && !properties.getHeaders().isEmpty()) { + List interceptors = List + .of(new ConfigClientRequestTemplateFactory.GenericRequestHeaderInterceptor( + properties.getHeaders())); + restTemplate.setInterceptors(interceptors); + } + else { + requestTemplateFactory.addAuthorizationToken(headers, username, password); + if (StringUtils.hasText(properties.getToken())) { + headers.add(TOKEN_HEADER, properties.getToken()); + } + } final HttpEntity entity = new HttpEntity<>((Void) null, headers); response = restTemplate.exchange(uri + path, HttpMethod.GET, entity, Environment.class, args); diff --git a/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/ConfigServerConfigDataLocationResolver.java b/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/ConfigServerConfigDataLocationResolver.java index 1d0ba923f2..51590573ae 100644 --- a/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/ConfigServerConfigDataLocationResolver.java +++ b/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/ConfigServerConfigDataLocationResolver.java @@ -102,13 +102,20 @@ protected PropertyHolder loadProperties(ConfigDataLocationResolverContext contex .orElse("application"); configClientProperties.setName(applicationName); } + ConfigClientOAuth2Properties oauth2Properties = binder + .bind(ConfigClientOAuth2Properties.PREFIX, Bindable.of(ConfigClientOAuth2Properties.class), bindHandler) + .orElse(null); + configClientProperties.setConfigClientOAuth2Properties(oauth2Properties); + + EncryptorConfig encryptorConfig = binder + .bind(EncryptorConfig.PREFIX, Bindable.of(EncryptorConfig.class), bindHandler).orElse(null); + configClientProperties.setEncryptorConfig(encryptorConfig); PropertyHolder holder = new PropertyHolder(); holder.properties = configClientProperties; // bind retry, override later holder.retryProperties = binder.bind(RetryProperties.PREFIX, RetryProperties.class) .orElseGet(RetryProperties::new); - if (StringUtils.hasText(uris)) { String[] uri = StringUtils.commaDelimitedListToStringArray(uris); String paramStr = null; diff --git a/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/EncryptorConfig.java b/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/EncryptorConfig.java new file mode 100644 index 0000000000..39ff2ca9a5 --- /dev/null +++ b/spring-cloud-config-client/src/main/java/org/springframework/cloud/config/client/EncryptorConfig.java @@ -0,0 +1,110 @@ +/* + * Copyright 2013-2019 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.cloud.config.client; + +import java.util.Objects; + +import com.ulisesbocchio.jasyptspringboot.encryptor.SimplePBEByteEncryptor; +import com.ulisesbocchio.jasyptspringboot.encryptor.SimplePBEStringEncryptor; +import org.jasypt.encryption.StringEncryptor; +import org.jasypt.salt.RandomSaltGenerator; + +import org.springframework.boot.context.properties.ConfigurationProperties; +import org.springframework.util.StringUtils; + +/** + * @author Bruce Randall + * + */ +@ConfigurationProperties(EncryptorConfig.PREFIX) +public class EncryptorConfig { + + /** + * Prefix for Spring Cloud Config properties. + */ + public static final String PREFIX = "spring.cloud.config.encryptor"; + + /** + * The Jayspt encryption password System Property. + */ + public static final String ENCRYPTOR_SYSTEM_PROPERTY = "encryptor-password"; + + /** + * The Jayspt Encryptor. + */ + private StringEncryptor encryptor; + + /** + * The Jasypt encryption algorithm. + */ + private String encryptorAlgorithm; + + /** + * Encryption iterations. Default = 1000. + */ + private Integer encryptorIterations; + + public String getEncryptorAlgorithm() { + return encryptorAlgorithm; + } + + public void setEncryptorAlgorithm(String encryptorAlgorithm) { + this.encryptorAlgorithm = encryptorAlgorithm; + } + + public Integer getEncryptorIterations() { + return encryptorIterations; + } + + public void setEncryptorIterations(Integer encryptorIterations) { + this.encryptorIterations = encryptorIterations; + } + + public StringEncryptor getEncryptor() { + if (encryptor == null) { + buildEncryptor(); + } + return encryptor; + } + + public String decryptProperty(String prop) { + if (prop.startsWith("ENC(")) { + prop = prop.substring(4, prop.lastIndexOf(")")); + return getEncryptor().decrypt(prop); + } + return prop; + } + + @Override + public String toString() { + return "EncryptorConfig{" + "encryptorAlgorithm='" + encryptorAlgorithm + '\'' + ", encryptorIterations=" + + encryptorIterations + '}'; + } + + public void buildEncryptor() { + SimplePBEByteEncryptor byteEncryptor = new SimplePBEByteEncryptor(); + byteEncryptor.setPassword(System.getProperty(ENCRYPTOR_SYSTEM_PROPERTY)); + if (StringUtils.hasText(this.encryptorAlgorithm)) { + byteEncryptor.setAlgorithm(this.encryptorAlgorithm); + } + byteEncryptor.setIterations(Objects.requireNonNullElse(this.encryptorIterations, 1000)); + byteEncryptor.setSaltGenerator(new RandomSaltGenerator()); + + encryptor = new SimplePBEStringEncryptor(byteEncryptor); + } + +} diff --git a/spring-cloud-config-client/src/test/java/org/springframework/cloud/config/client/ConfigClientPropertiesTests.java b/spring-cloud-config-client/src/test/java/org/springframework/cloud/config/client/ConfigClientPropertiesTests.java index 83d0dd9892..6c0ab3d597 100644 --- a/spring-cloud-config-client/src/test/java/org/springframework/cloud/config/client/ConfigClientPropertiesTests.java +++ b/spring-cloud-config-client/src/test/java/org/springframework/cloud/config/client/ConfigClientPropertiesTests.java @@ -25,6 +25,7 @@ import org.springframework.core.env.ConfigurableEnvironment; import org.springframework.core.env.StandardEnvironment; import org.springframework.mock.env.MockEnvironment; +import org.springframework.test.util.ReflectionTestUtils; import static org.assertj.core.api.Assertions.assertThat; @@ -183,4 +184,49 @@ public void testThatExplicitMultipleUriStrategyTakesPrecedence() { .isEqualTo(MultipleUriStrategy.CONNECTION_TIMEOUT_ONLY.name()); } + @Test + void testOauthProperties() { + ConfigClientProperties properties = new ConfigClientProperties(new MockEnvironment()); + properties.setUri(new String[] { "https://localhost:8888/" }); + + ConfigClientOAuth2Properties oauth2Properties = new ConfigClientOAuth2Properties(); + oauth2Properties.setTokenUri("http://localhost:9080/realms/test-realm/protocol/openid-connect/token"); + oauth2Properties.setClientId("clientId"); + oauth2Properties.setClientSecret("clientSecret"); + oauth2Properties.setOauthUsername("oauthUsername"); + oauth2Properties.setOauthPassword("oauthPassword"); + oauth2Properties.setGrantType("password"); + properties.setConfigClientOAuth2Properties(oauth2Properties); + EncryptorConfig encryptorConfig = new EncryptorConfig(); + encryptorConfig.setEncryptorAlgorithm("PBEWITHHMACSHA512ANDAES_256"); + encryptorConfig.setEncryptorIterations(10000); + properties.setEncryptorConfig(encryptorConfig); + + assertThat(oauth2Properties.getTokenUri()) + .isEqualTo("http://localhost:9080/realms/test-realm/protocol/openid-connect/token"); + assertThat(oauth2Properties.getClientId()).isEqualTo("clientId"); + assertThat(oauth2Properties.getClientSecret()).isEqualTo("clientSecret"); + assertThat(oauth2Properties.getOauthUsername()).isEqualTo("oauthUsername"); + assertThat(oauth2Properties.getOauthPassword()).isEqualTo("oauthPassword"); + assertThat(oauth2Properties.getGrantType()).isEqualTo("password"); + assertThat(encryptorConfig.getEncryptorAlgorithm()).isEqualTo("PBEWITHHMACSHA512ANDAES_256"); + assertThat(encryptorConfig.getEncryptorIterations()).isEqualTo(10000); + assertThat(oauth2Properties.toString()).contains(ConfigClientOAuth2Properties.class.getSimpleName()); + assertThat(encryptorConfig.toString()).contains(EncryptorConfig.class.getSimpleName()); + + encryptorConfig.setEncryptorAlgorithm(null); + encryptorConfig.buildEncryptor(); + assertThat(encryptorConfig.getEncryptor()).isNotNull(); + } + + @Test + void whenExtractCredentials_givenInvalidUrl_thenThrowException() { + ConfigClientProperties properties = new ConfigClientProperties(new MockEnvironment()); + properties.setUri(new String[] { "https//localhost:abcd/" }); + Assertions.assertThatThrownBy(() -> { + ReflectionTestUtils.invokeMethod(properties, "extractCredentials", 0); + }).isInstanceOf(IllegalStateException.class).hasMessageContaining("Invalid URL: " + properties.getUri()[0]); + + } + } diff --git a/spring-cloud-config-client/src/test/java/org/springframework/cloud/config/client/ConfigClientRequestTemplateFactoryTest.java b/spring-cloud-config-client/src/test/java/org/springframework/cloud/config/client/ConfigClientRequestTemplateFactoryTest.java new file mode 100644 index 0000000000..548de78b43 --- /dev/null +++ b/spring-cloud-config-client/src/test/java/org/springframework/cloud/config/client/ConfigClientRequestTemplateFactoryTest.java @@ -0,0 +1,217 @@ +/* + * Copyright 2013-2019 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.cloud.config.client; + +import java.io.IOException; +import java.util.List; +import java.util.Optional; +import java.util.UUID; + +import okhttp3.mockwebserver.MockResponse; +import okhttp3.mockwebserver.MockWebServer; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.jasypt.encryption.StringEncryptor; +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Test; + +import org.springframework.http.HttpHeaders; +import org.springframework.http.MediaType; +import org.springframework.http.client.ClientHttpRequestInterceptor; +import org.springframework.mock.env.MockEnvironment; +import org.springframework.test.util.ReflectionTestUtils; +import org.springframework.web.client.RestTemplate; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.springframework.cloud.config.client.ConfigClientProperties.AUTHORIZATION; + +/** + * @author Bruce Randall + * + */ +class ConfigClientRequestTemplateFactoryTest { + + private static final Log LOG = LogFactory.getLog(ConfigClientRequestTemplateFactoryTest.class); + + public static MockWebServer mockWebServer; + + private static String idpUrl; + + private static final String TOKEN_RESPONSE = """ + {"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJVQ2RaakhjZ0tFU0NFV0w3V1JlMWpnaVRyQVNGbFhndU5CZWVGN1VlUnZJIn0.eyJleHAiOjE3MDE0NDQ2NTcsImlhdCI6MTcwMTQ0NDM1NywianRpIjoiN2IzZTczZTMtZWJlYy00YWE3LWI0MjgtZjRlMmJiYTQxYWNlIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo5MDgwL3JlYWxtcy9vc2ludC1yZWFsbSIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiJhN2EyNWZiMC02MzljLTQxYTktYmEwNS04NDlkYTE0Y2NiMzQiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJvc2ludC1rZXljbG9hay1jbGllbnQiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9sb2NhbGhvc3Q6ODM1MSJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJkZWZhdWx0LXJvbGVzLW9zaW50LXJlYWxtIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJvc2ludC1rZXljbG9hay1jbGllbnQiOnsicm9sZXMiOlsidW1hX3Byb3RlY3Rpb24iLCJtMm0iXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiY2xpZW50SG9zdCI6IjE3Mi4xNy4wLjEiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQtb3NpbnQta2V5Y2xvYWstY2xpZW50IiwiY2xpZW50QWRkcmVzcyI6IjE3Mi4xNy4wLjEiLCJjbGllbnRfaWQiOiJvc2ludC1rZXljbG9hay1jbGllbnQifQ.AFY1g8_DxAq1eXd-qpJP2PD-8g7-n_gIeScX_ESLWB6UHnZtxe_MvPYvn13X6K4olDsPZ37EGE4-BkdY8pgs-UBCD6EsFD_aZmf9PjZFsHDacAKotcvjsb5U9kqbm0wPuyhrhgSftkrx9AceHe_wETzAPoI775MuyQgSWjihLqLnOZSIMu24t-Ga07Xn0yaOoTD2tS1lfkgXWwRrQF1_KQxHftvJDDhJEN0rfEVJ7SOr9meWH0IQ1w8HgjRFBBkOhtp", + "expires_in": 300, + "refresh_expires_in": 0, + "token_type": "Bearer", + "not-before-policy": 0, + "scope": "profile email" + }"""; + + @BeforeAll + static void beforeAll() throws IOException { + mockWebServer = new MockWebServer(); + mockWebServer.start(); + idpUrl = String.format("http://localhost:%s/", mockWebServer.getPort()); + } + + @AfterAll + static void afterAll() throws IOException { + mockWebServer.shutdown(); + } + + @Test + void whenParseTokenResponse_givenValidJson_thenParseToken() { + // given + ConfigClientProperties properties = new ConfigClientProperties(new MockEnvironment()); + EncryptorConfig encryptorConfig = new EncryptorConfig(); + ConfigClientRequestTemplateFactory templateFactory = new ConfigClientRequestTemplateFactory(LOG, properties); + + // when + Optional tokenOpt = ReflectionTestUtils.invokeMethod(templateFactory, "parseTokenResponse", + TOKEN_RESPONSE); + // then + assertThat(tokenOpt).isPresent(); + AccessTokenResponse tokenResponse = tokenOpt.get(); + assertThat(tokenResponse.getAccessToken()).isNotNull(); + assertThat(tokenResponse.getAccessToken()) + .startsWith("eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJVQ2RaakhjZ0tFU0NFV0w3V1JlMWpnaVR"); + assertThat(tokenResponse.getAccessToken()).endsWith("WH0IQ1w8HgjRFBBkOhtp"); + assertThat(tokenResponse.getTokenType()).isNotNull(); + assertThat(tokenResponse.getTokenType()).isEqualTo("Bearer"); + assertThat(tokenResponse.getBearerHeader()) + .isEqualTo(tokenResponse.getTokenType() + " " + tokenResponse.getAccessToken()); + assertThat(templateFactory.getLog()).isNotNull(); + assertThat(templateFactory.getProperties()).isNotNull(); + } + + @Test + void whenCreate_givenTokenUri_thenGetOAuthToken() { + // given + ConfigClientProperties properties = new ConfigClientProperties(new MockEnvironment()); + ConfigClientOAuth2Properties oauth2Properties = new ConfigClientOAuth2Properties(); + oauth2Properties.setTokenUri(idpUrl + "/realms/test-realm/protocol/openid-connect/token"); + oauth2Properties.setClientId("clientId"); + oauth2Properties.setClientSecret("clientSecret"); + oauth2Properties.setGrantType("client_credentials"); + properties.setConfigClientOAuth2Properties(oauth2Properties); + + ConfigClientRequestTemplateFactory templateFactory = new ConfigClientRequestTemplateFactory(LOG, properties); + Optional tokenOpt = ReflectionTestUtils.invokeMethod(templateFactory, "parseTokenResponse", + TOKEN_RESPONSE); + assertThat(tokenOpt).isPresent(); + AccessTokenResponse tokenResponse = tokenOpt.get(); + mockWebServer.enqueue(new MockResponse().setBody(TOKEN_RESPONSE).setHeader(HttpHeaders.CONTENT_TYPE, + MediaType.APPLICATION_JSON_VALUE)); + // when + RestTemplate restTemplate = templateFactory.create(); + List interceptors = List + .of(new ConfigClientRequestTemplateFactory.GenericRequestHeaderInterceptor(properties.getHeaders())); + restTemplate.setInterceptors(interceptors); + + // then + assertThat(restTemplate).isNotNull(); + assertThat(restTemplate.getInterceptors()).isNotNull(); + assertThat(restTemplate.getInterceptors()).isNotEmpty(); + ConfigClientRequestTemplateFactory.GenericRequestHeaderInterceptor genericInterceptor = (ConfigClientRequestTemplateFactory.GenericRequestHeaderInterceptor) restTemplate + .getInterceptors().get(0); + assertThat(genericInterceptor.getHeaders()).isNotNull(); + assertThat(properties.getHeaders()).isNotNull(); + assertThat(properties.getHeaders()).isNotEmpty(); + String header = properties.getHeaders().get(AUTHORIZATION); + assertThat(header).isEqualTo(tokenResponse.getTokenType() + " " + tokenResponse.getAccessToken()); + assertThat(genericInterceptor.getHeaders().get(AUTHORIZATION)) + .isEqualTo(properties.getHeaders().get(AUTHORIZATION)); + + } + + @Test + void whenCreate_givenNoGrantType_thenIllegalState() { + // given + ConfigClientProperties properties = new ConfigClientProperties(new MockEnvironment()); + ConfigClientOAuth2Properties oauth2Properties = new ConfigClientOAuth2Properties(); + oauth2Properties.setTokenUri(idpUrl + "/realms/test-realm/protocol/openid-connect/token"); + oauth2Properties.setClientId("clientId"); + oauth2Properties.setClientSecret("clientSecret"); + properties.setConfigClientOAuth2Properties(oauth2Properties); + + // when + try { + ConfigClientRequestTemplateFactory templateFactory = new ConfigClientRequestTemplateFactory(LOG, + properties); + RestTemplate restTemplate = templateFactory.create(); + } + catch (IllegalStateException e) { + // then + assertThat(e.getMessage()).startsWith("OAuth2 Grant Type property required."); + } + } + + @Test + void whenCreate_givenBadTokenResponse_thenNoHeaderSet() { + // given + ConfigClientProperties properties = new ConfigClientProperties(new MockEnvironment()); + ConfigClientOAuth2Properties oauth2Properties = new ConfigClientOAuth2Properties(); + oauth2Properties.setTokenUri(idpUrl + "/realms/test-realm/protocol/openid-connect/token"); + oauth2Properties.setOauthUsername("oauthUsername"); + oauth2Properties.setOauthPassword("oauthPassword"); + oauth2Properties.setGrantType("password"); + properties.setConfigClientOAuth2Properties(oauth2Properties); + + ConfigClientRequestTemplateFactory templateFactory = new ConfigClientRequestTemplateFactory(LOG, properties); + mockWebServer.enqueue(new MockResponse().setBody("TOKEN_RESPONSE").setHeader(HttpHeaders.CONTENT_TYPE, + MediaType.APPLICATION_JSON_VALUE)); + + // when + templateFactory.create(); + + // then + assertThat(properties.getHeaders()).isNotNull(); + } + + @Test + void whenDecryptProperty_givenEncryptedProp_thenDecryptProp() { + // given + ConfigClientProperties properties = new ConfigClientProperties(new MockEnvironment()); + System.setProperty(EncryptorConfig.ENCRYPTOR_SYSTEM_PROPERTY, "YaddaYaddaYadda"); + EncryptorConfig encryptorConfig = new EncryptorConfig(); + encryptorConfig.setEncryptorAlgorithm("PBEWITHHMACSHA512ANDAES_256"); + properties.setEncryptorConfig(encryptorConfig); + + properties.setConfigClientOAuth2Properties(new ConfigClientOAuth2Properties()); + properties.getConfigClientOAuth2Properties().setGrantType("client_credentials"); + properties.getConfigClientOAuth2Properties() + .setTokenUri(idpUrl + "/realms/test-realm/protocol/openid-connect/token"); + properties.getConfigClientOAuth2Properties().setOauthUsername("oauthUsername"); + properties.getConfigClientOAuth2Properties().setOauthPassword("oauthPassword"); + + StringEncryptor encryptor = encryptorConfig.getEncryptor(); + String secret = UUID.randomUUID().toString(); + String encryptedProp = encryptor.encrypt(secret); + properties.getConfigClientOAuth2Properties().setClientSecret("ENC(" + encryptedProp + ")"); + properties.getConfigClientOAuth2Properties().setOauthPassword("PLAIN OLD TEXT"); + // when + + String actualSecret = encryptorConfig + .decryptProperty(properties.getConfigClientOAuth2Properties().getClientSecret()); + + // then + assertThat(secret).isEqualTo(actualSecret); + actualSecret = encryptorConfig.decryptProperty(properties.getConfigClientOAuth2Properties().getOauthPassword()); + assertThat(actualSecret).isEqualTo("PLAIN OLD TEXT"); + } + +} diff --git a/spring-cloud-config-client/src/test/java/org/springframework/cloud/config/client/ConfigServerConfigDataLoaderTests.java b/spring-cloud-config-client/src/test/java/org/springframework/cloud/config/client/ConfigServerConfigDataLoaderTests.java index 9fad257d0f..fa8be8d0df 100644 --- a/spring-cloud-config-client/src/test/java/org/springframework/cloud/config/client/ConfigServerConfigDataLoaderTests.java +++ b/spring-cloud-config-client/src/test/java/org/springframework/cloud/config/client/ConfigServerConfigDataLoaderTests.java @@ -19,11 +19,14 @@ import java.io.ByteArrayInputStream; import java.io.IOException; import java.net.URI; +import java.nio.charset.StandardCharsets; import java.util.Arrays; +import java.util.Base64; import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; +import java.util.UUID; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -691,4 +694,76 @@ private void mockRequestTimedOut(ClientHttpRequestFactory requestFactory, String when(request.execute()).thenThrow(IOException.class); } + @SuppressWarnings("unchecked") + @Test + void whenRemoteEnvironment_givenOauth_thenAddInterceptor() { + Environment body = new Environment("test", "local"); + mockRequestResponseWithoutLabel(new ResponseEntity<>(body, HttpStatus.OK)); + properties.setLabel(null); + properties.setConfigClientOAuth2Properties(new ConfigClientOAuth2Properties()); + properties.getConfigClientOAuth2Properties() + .setTokenUri("http://localhost:9999/realms/test-realm/protocol/openid-connect/token"); + Map tokenHeader = new HashMap<>(); + tokenHeader.put(AUTHORIZATION, "Bearer " + UUID.randomUUID().toString()); + properties.setHeaders(tokenHeader); + this.loader.getRemoteEnvironment(context, resource, properties.getLabel(), null); + + Mockito.verify(this.restTemplate).exchange(anyString(), any(HttpMethod.class), + httpEntityArgumentCaptor.capture(), any(Class.class), anyString(), anyString()); + + Mockito.verify(this.restTemplate, Mockito.times(1)).setInterceptors(any()); + + } + + @SuppressWarnings("unchecked") + @Test + void whenRemoteEnvironment_givenOauthNoToken_thenNoInterceptor() { + Environment body = new Environment("test", "local"); + mockRequestResponseWithoutLabel(new ResponseEntity<>(body, HttpStatus.OK)); + properties.setConfigClientOAuth2Properties(new ConfigClientOAuth2Properties()); + properties.setLabel(null); + properties.getConfigClientOAuth2Properties() + .setTokenUri("http://localhost:9999/realms/test-realm/protocol/openid-connect/token"); + properties.setSendState(false); + this.loader.getRemoteEnvironment(context, resource, properties.getLabel(), "stale"); + + Mockito.verify(this.restTemplate).exchange(anyString(), any(HttpMethod.class), + httpEntityArgumentCaptor.capture(), any(Class.class), anyString(), anyString()); + + Mockito.verify(this.restTemplate, Mockito.times(0)).setInterceptors(any()); + + } + + @SuppressWarnings("unchecked") + @Test + void whenRemoteEnvironment_givenBasicAuth_thenNoInterceptor() { + Environment body = new Environment("test", "local"); + mockRequestResponseWithoutLabel(new ResponseEntity<>(body, HttpStatus.OK)); + properties.setLabel(null); + this.loader.getRemoteEnvironment(context, resource, properties.getLabel(), "stale"); + + Mockito.verify(this.restTemplate).exchange(anyString(), any(HttpMethod.class), + httpEntityArgumentCaptor.capture(), any(Class.class), anyString(), anyString()); + + Mockito.verify(this.restTemplate, Mockito.times(0)).setInterceptors(any()); + + } + + @SuppressWarnings("unchecked") + @Test + void whenRemoteEnvironment_givenBasicAuthToken_thenNoInterceptor() { + Environment body = new Environment("test", "local"); + mockRequestResponseWithoutLabel(new ResponseEntity<>(body, HttpStatus.OK)); + properties.setLabel(null); + properties.setToken("Basic " + + Arrays.toString(Base64.getEncoder().encode("YaddaYaddaYadda".getBytes(StandardCharsets.UTF_8)))); + this.loader.getRemoteEnvironment(context, resource, properties.getLabel(), "stale"); + + Mockito.verify(this.restTemplate).exchange(anyString(), any(HttpMethod.class), + httpEntityArgumentCaptor.capture(), any(Class.class), anyString(), anyString()); + + Mockito.verify(this.restTemplate, Mockito.times(0)).setInterceptors(any()); + + } + } diff --git a/spring-cloud-config-client/src/test/java/org/springframework/cloud/config/client/ConfigServerConfigDataLocationResolverTests.java b/spring-cloud-config-client/src/test/java/org/springframework/cloud/config/client/ConfigServerConfigDataLocationResolverTests.java index f2f3c82261..98bf1882e1 100644 --- a/spring-cloud-config-client/src/test/java/org/springframework/cloud/config/client/ConfigServerConfigDataLocationResolverTests.java +++ b/spring-cloud-config-client/src/test/java/org/springframework/cloud/config/client/ConfigServerConfigDataLocationResolverTests.java @@ -183,6 +183,7 @@ void createNewConfigClientPropertiesInBootstrapContext() { verify(bootstrapContext, times(0)).get(eq(ConfigClientProperties.class)); ConfigServerConfigDataResource resource = resources.get(0); assertThat(resource.getProperties().getUri()).isEqualTo(new String[] { "http://locationuri" }); + assertThat(resource.getLog()).isNotNull(); } @Test diff --git a/spring-cloud-config-server/src/test/java/org/springframework/cloud/config/server/environment/AwsSecretsManagerEnvironmentRepositoryTests.java b/spring-cloud-config-server/src/test/java/org/springframework/cloud/config/server/environment/AwsSecretsManagerEnvironmentRepositoryTests.java index 3b8bfe65ce..51dacbd18b 100644 --- a/spring-cloud-config-server/src/test/java/org/springframework/cloud/config/server/environment/AwsSecretsManagerEnvironmentRepositoryTests.java +++ b/spring-cloud-config-server/src/test/java/org/springframework/cloud/config/server/environment/AwsSecretsManagerEnvironmentRepositoryTests.java @@ -88,9 +88,11 @@ public class AwsSecretsManagerEnvironmentRepositoryTests { private final AwsSecretsManagerEnvironmentRepository labeledRepository = new AwsSecretsManagerEnvironmentRepository( smClient, configServerProperties, labeledEnvironmentProperties); - private final AwsSecretsManagerEnvironmentProperties ignoreLabelEnvironmentProperties = new AwsSecretsManagerEnvironmentProperties() {{ - setIgnoreLabel(true); - }}; + private final AwsSecretsManagerEnvironmentProperties ignoreLabelEnvironmentProperties = new AwsSecretsManagerEnvironmentProperties() { + { + setIgnoreLabel(true); + } + }; private final AwsSecretsManagerEnvironmentRepository ignoreLabelRepository = new AwsSecretsManagerEnvironmentRepository( smClient, configServerProperties, ignoreLabelEnvironmentProperties); @@ -1849,24 +1851,23 @@ public void testFindOneWithExistingApplicationAndExistingProfileAndExistingLabel String fooDefaultPropertiesName = "aws:secrets:/secret/foo-default/"; PropertySource fooDefaultProperties = new PropertySource(fooDefaultPropertiesName, - getFooDefaultReleaseProperties()); + getFooDefaultReleaseProperties()); String applicationProdPropertiesName = "aws:secrets:/secret/application-prod/"; PropertySource applicationProdProperties = new PropertySource(applicationProdPropertiesName, - getApplicationProdReleaseProperties()); + getApplicationProdReleaseProperties()); String applicationDefaultPropertiesName = "aws:secrets:/secret/application-default/"; PropertySource applicationDefaultProperties = new PropertySource(applicationDefaultPropertiesName, - getApplicationDefaultReleaseProperties()); + getApplicationDefaultReleaseProperties()); String applicationPropertiesName = "aws:secrets:/secret/application/"; PropertySource applicationProperties = new PropertySource(applicationPropertiesName, - getApplicationReleaseProperties()); + getApplicationReleaseProperties()); Environment expectedEnv = new Environment(application, profiles, null, null, null); - expectedEnv.addAll(Arrays.asList( - fooProdProperties, applicationProdProperties, fooDefaultProperties, - applicationDefaultProperties, fooProperties, applicationProperties)); + expectedEnv.addAll(Arrays.asList(fooProdProperties, applicationProdProperties, fooDefaultProperties, + applicationDefaultProperties, fooProperties, applicationProperties)); putSecrets(expectedEnv);