You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2018/04/13 07:25:41 UTC
[2/2] syncope git commit: [SYNCOPE-1301] Reworking logic to avoid
conficts
[SYNCOPE-1301] Reworking logic to avoid conficts
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/24f78993
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/24f78993
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/24f78993
Branch: refs/heads/master
Commit: 24f789932141ee05fa12d81eca9d43178953f508
Parents: 9a7afc0
Author: Francesco Chicchiriccò <il...@apache.org>
Authored: Fri Apr 13 09:04:17 2018 +0200
Committer: Francesco Chicchiriccò <il...@apache.org>
Committed: Fri Apr 13 09:25:23 2018 +0200
----------------------------------------------------------------------
.../persistence/jpa/entity/JPAAccessToken.java | 2 +-
.../api/data/AccessTokenDataBinder.java | 6 +-
.../java/data/AccessTokenDataBinderImpl.java | 83 ++++++++++----------
.../apache/syncope/core/logic/SAML2SPLogic.java | 17 ++--
4 files changed, 52 insertions(+), 56 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/syncope/blob/24f78993/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/JPAAccessToken.java
----------------------------------------------------------------------
diff --git a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/JPAAccessToken.java b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/JPAAccessToken.java
index 4ddaed1..e3bc873 100644
--- a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/JPAAccessToken.java
+++ b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/JPAAccessToken.java
@@ -44,7 +44,7 @@ public class JPAAccessToken extends AbstractProvidedKeyEntity implements AccessT
@Temporal(TemporalType.TIMESTAMP)
private Date expiryTime;
- @Column(nullable = true)
+ @Column(unique = true)
private String owner;
@Lob
http://git-wip-us.apache.org/repos/asf/syncope/blob/24f78993/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/data/AccessTokenDataBinder.java
----------------------------------------------------------------------
diff --git a/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/data/AccessTokenDataBinder.java b/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/data/AccessTokenDataBinder.java
index 4bb64aa..d50fc22 100644
--- a/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/data/AccessTokenDataBinder.java
+++ b/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/data/AccessTokenDataBinder.java
@@ -21,16 +21,14 @@ package org.apache.syncope.core.provisioning.api.data;
import java.util.Date;
import java.util.Map;
import org.apache.commons.lang3.tuple.Pair;
-import org.apache.commons.lang3.tuple.Triple;
import org.apache.syncope.common.lib.to.AccessTokenTO;
import org.apache.syncope.core.persistence.api.entity.AccessToken;
public interface AccessTokenDataBinder {
- Triple<String, String, Date> generateJWT(String subject, long duration, Map<String, Object> claims);
+ Pair<String, Date> generateJWT(String tokenId, String subject, long duration, Map<String, Object> claims);
- Pair<String, Date> create(
- String subject, Map<String, Object> claims, byte[] authorities, boolean replaceExisting);
+ Pair<String, Date> create(String subject, Map<String, Object> claims, byte[] authorities, boolean replace);
Pair<String, Date> update(AccessToken accessToken, byte[] authorities);
http://git-wip-us.apache.org/repos/asf/syncope/blob/24f78993/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java
----------------------------------------------------------------------
diff --git a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java
index 350f1ed..0b2e4b6 100644
--- a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java
+++ b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java
@@ -24,7 +24,6 @@ import java.util.Date;
import java.util.Map;
import javax.annotation.Resource;
import org.apache.commons.lang3.tuple.Pair;
-import org.apache.commons.lang3.tuple.Triple;
import org.apache.cxf.rs.security.jose.common.JoseType;
import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
@@ -46,8 +45,6 @@ import org.springframework.stereotype.Component;
@Component
public class AccessTokenDataBinderImpl implements AccessTokenDataBinder {
- private static final String[] IGNORE_PROPERTIES = { "owner" };
-
private static final RandomBasedGenerator UUID_GENERATOR = Generators.randomBasedGenerator();
@Resource(name = "adminUser")
@@ -72,8 +69,11 @@ public class AccessTokenDataBinderImpl implements AccessTokenDataBinder {
private DefaultCredentialChecker credentialChecker;
@Override
- public Triple<String, String, Date> generateJWT(
- final String subject, final long duration, final Map<String, Object> claims) {
+ public Pair<String, Date> generateJWT(
+ final String tokenId,
+ final String subject,
+ final long duration,
+ final Map<String, Object> claims) {
credentialChecker.checkIsDefaultJWSKeyInUse();
@@ -81,7 +81,7 @@ public class AccessTokenDataBinderImpl implements AccessTokenDataBinder {
long expiryTime = currentTime + 60L * duration;
JwtClaims jwtClaims = new JwtClaims();
- jwtClaims.setTokenId(UUID_GENERATOR.generate().toString());
+ jwtClaims.setTokenId(tokenId);
jwtClaims.setSubject(subject);
jwtClaims.setIssuedAt(currentTime);
jwtClaims.setIssuer(jwtIssuer);
@@ -97,52 +97,52 @@ public class AccessTokenDataBinderImpl implements AccessTokenDataBinder {
String signed = producer.signWith(jwsSignatureProvider);
- return Triple.of(jwtClaims.getTokenId(), signed, new Date(expiryTime * 1000L));
+ return Pair.of(signed, new Date(expiryTime * 1000L));
}
- @Override
- public Pair<String, Date> create(
+ private AccessToken replace(
final String subject,
final Map<String, Object> claims,
final byte[] authorities,
- final boolean replaceExisting) {
-
- String body = null;
- Date expiryTime = null;
-
- AccessToken existing = accessTokenDAO.findByOwner(subject);
- if (existing != null) {
- body = existing.getBody();
- expiryTime = existing.getExpiryTime();
- }
-
- if (replaceExisting || body == null) {
- Triple<String, String, Date> created = generateJWT(
- subject,
- confDAO.find("jwt.lifetime.minutes", 120L),
- claims);
-
- body = created.getMiddle();
- expiryTime = created.getRight();
+ final AccessToken accessToken) {
- AccessToken accessToken = entityFactory.newEntity(AccessToken.class);
- accessToken.setKey(created.getLeft());
- accessToken.setBody(body);
- accessToken.setExpiryTime(expiryTime);
- accessToken.setOwner(subject);
+ Pair<String, Date> generated = generateJWT(
+ accessToken.getKey(),
+ subject,
+ confDAO.find("jwt.lifetime.minutes", 120L),
+ claims);
- if (!adminUser.equals(accessToken.getOwner())) {
- accessToken.setAuthorities(authorities);
- }
+ accessToken.setBody(generated.getLeft());
+ accessToken.setExpiryTime(generated.getRight());
+ accessToken.setOwner(subject);
- accessTokenDAO.save(accessToken);
+ if (!adminUser.equals(accessToken.getOwner())) {
+ accessToken.setAuthorities(authorities);
}
- if (replaceExisting && existing != null) {
- accessTokenDAO.delete(existing);
+ return accessTokenDAO.save(accessToken);
+ }
+
+ @Override
+ public Pair<String, Date> create(
+ final String subject,
+ final Map<String, Object> claims,
+ final byte[] authorities,
+ final boolean replace) {
+
+ AccessToken accessToken = accessTokenDAO.findByOwner(subject);
+ if (accessToken == null) {
+ // no AccessToken found: create new
+ accessToken = entityFactory.newEntity(AccessToken.class);
+ accessToken.setKey(UUID_GENERATOR.generate().toString());
+
+ accessToken = replace(subject, claims, authorities, accessToken);
+ } else if (replace) {
+ // AccessToken found, but replace requested: update existing
+ accessToken = replace(subject, claims, authorities, accessToken);
}
- return Pair.of(body, expiryTime);
+ return Pair.of(accessToken.getBody(), accessToken.getExpiryTime());
}
@Override
@@ -179,8 +179,7 @@ public class AccessTokenDataBinderImpl implements AccessTokenDataBinder {
@Override
public AccessTokenTO getAccessTokenTO(final AccessToken accessToken) {
AccessTokenTO accessTokenTO = new AccessTokenTO();
- BeanUtils.copyProperties(accessToken, accessTokenTO, IGNORE_PROPERTIES);
- accessTokenTO.setOwner(accessToken.getOwner());
+ BeanUtils.copyProperties(accessToken, accessTokenTO);
return accessTokenTO;
}
http://git-wip-us.apache.org/repos/asf/syncope/blob/24f78993/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
index 39d8530..3ea54e5 100644
--- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
@@ -18,7 +18,6 @@
*/
package org.apache.syncope.core.logic;
-import org.apache.syncope.core.logic.saml2.SAML2UserManager;
import com.fasterxml.uuid.Generators;
import com.fasterxml.uuid.impl.RandomBasedGenerator;
import java.io.OutputStream;
@@ -34,7 +33,6 @@ import java.util.Map;
import javax.annotation.Resource;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
-import org.apache.commons.lang3.tuple.Triple;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
import org.apache.cxf.rs.security.saml.sso.SSOValidatorResponse;
@@ -52,6 +50,7 @@ import org.apache.syncope.common.lib.types.StandardEntitlement;
import org.apache.syncope.core.logic.saml2.SAML2ReaderWriter;
import org.apache.syncope.core.logic.saml2.SAML2IdPCache;
import org.apache.syncope.core.logic.saml2.SAML2IdPEntity;
+import org.apache.syncope.core.logic.saml2.SAML2UserManager;
import org.apache.syncope.core.persistence.api.dao.AccessTokenDAO;
import org.apache.syncope.core.persistence.api.dao.NotFoundException;
import org.apache.syncope.core.persistence.api.dao.SAML2IdPDAO;
@@ -324,13 +323,13 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
// 3. generate relay state as JWT
Map<String, Object> claims = new HashMap<>();
claims.put(JWT_CLAIM_IDP_DEFLATE, idp.isUseDeflateEncoding());
- Triple<String, String, Date> relayState =
- accessTokenDataBinder.generateJWT(authnRequest.getID(), JWT_RELAY_STATE_DURATION, claims);
+ Pair<String, Date> relayState = accessTokenDataBinder.generateJWT(
+ UUID_GENERATOR.generate().toString(), authnRequest.getID(), JWT_RELAY_STATE_DURATION, claims);
// 4. sign and encode AuthnRequest
switch (idp.getBindingType()) {
case REDIRECT:
- requestTO.setRelayState(URLEncoder.encode(relayState.getMiddle(), StandardCharsets.UTF_8.name()));
+ requestTO.setRelayState(URLEncoder.encode(relayState.getLeft(), StandardCharsets.UTF_8.name()));
requestTO.setContent(URLEncoder.encode(
saml2rw.encode(authnRequest, true), StandardCharsets.UTF_8.name()));
requestTO.setSignAlg(URLEncoder.encode(saml2rw.getSigAlgo(), StandardCharsets.UTF_8.name()));
@@ -341,7 +340,7 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
case POST:
default:
- requestTO.setRelayState(relayState.getMiddle());
+ requestTO.setRelayState(relayState.getLeft());
saml2rw.sign(authnRequest);
requestTO.setContent(saml2rw.encode(authnRequest, idp.isUseDeflateEncoding()));
}
@@ -606,9 +605,9 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
Map<String, Object> claims = new HashMap<>();
claims.put(JWT_CLAIM_IDP_DEFLATE,
idp.getBindingType() == SAML2BindingType.REDIRECT ? true : idp.isUseDeflateEncoding());
- Triple<String, String, Date> relayState =
- accessTokenDataBinder.generateJWT(logoutRequest.getID(), JWT_RELAY_STATE_DURATION, claims);
- requestTO.setRelayState(relayState.getMiddle());
+ Pair<String, Date> relayState = accessTokenDataBinder.generateJWT(
+ UUID_GENERATOR.generate().toString(), logoutRequest.getID(), JWT_RELAY_STATE_DURATION, claims);
+ requestTO.setRelayState(relayState.getLeft());
// 4. sign and encode AuthnRequest
switch (idp.getBindingType()) {