From 3b6239f84a4e55ff82b13674a2deb0035041eae2 Mon Sep 17 00:00:00 2001 From: "michele.artini" Date: Wed, 4 Nov 2020 10:30:29 +0100 Subject: [PATCH] oauth2 first steps --- .../import_certificates.sh | 13 + apps/dnet-orgs-database-application/pom.xml | 4 + .../dnet-orgs-database-application/report.xml | 476 ++++++++++++++++++ .../organizations/WebSecurityConfig.java | 92 ++-- .../src/main/resources/application.properties | 23 + .../src/main/resources/templates/home.html | 2 +- 6 files changed, 559 insertions(+), 51 deletions(-) create mode 100755 apps/dnet-orgs-database-application/import_certificates.sh create mode 100644 apps/dnet-orgs-database-application/report.xml diff --git a/apps/dnet-orgs-database-application/import_certificates.sh b/apps/dnet-orgs-database-application/import_certificates.sh new file mode 100755 index 00000000..7671f3ff --- /dev/null +++ b/apps/dnet-orgs-database-application/import_certificates.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +CACERT_DIR=/Users/michele/.jenv/versions/1.8/jre/lib/security/cacerts + +echo "Importing HTTPS Cerificates in $CACERT_DIR" + +TMP_FILE=`mktemp /tmp/cert.XXXXXX` +echo -n | openssl s_client -connect openaire-dev.aai-dev.grnet.gr:443 | openssl x509 > $TMP_FILE +keytool -import -alias example -keystore $CACERT_DIR -file $TMP_FILE + +echo +echo "Done." +echo diff --git a/apps/dnet-orgs-database-application/pom.xml b/apps/dnet-orgs-database-application/pom.xml index ff6ebfff..3a61b656 100644 --- a/apps/dnet-orgs-database-application/pom.xml +++ b/apps/dnet-orgs-database-application/pom.xml @@ -31,6 +31,10 @@ org.springframework.boot spring-boot-starter-security + + org.springframework.boot + spring-boot-starter-oauth2-client + org.thymeleaf.extras thymeleaf-extras-springsecurity5 diff --git a/apps/dnet-orgs-database-application/report.xml b/apps/dnet-orgs-database-application/report.xml new file mode 100644 index 00000000..36b02463 --- /dev/null +++ b/apps/dnet-orgs-database-application/report.xml @@ -0,0 +1,476 @@ + + + + Feature Extraction + + + TCPFLOW + 1.5.0 + + 4.2.1 (4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.8)) + -D_THREAD_SAFE -pthread -I/usr/local/include -I/usr/local/include -DUTC_OFFSET=+0000 + -g -D_THREAD_SAFE -pthread -g -O3 -MD -Wpointer-arith -Wmissing-declarations -Wmissing-prototypes -Wshadow -Wwrite-strings -Wcast-align -Waggregate-return -Wbad-function-cast -Wcast-qual -Wundef -Wredundant-decls -Wdisabled-optimization -Wfloat-equal -Wmultichar -Wc++-compat -Wmissing-noreturn -Wall -Wstrict-prototypes -MD -D_FORTIFY_SOURCE=2 -Wpointer-arith -Wmissing-declarations -Wmissing-prototypes -Wshadow -Wwrite-strings -Wcast-align -Waggregate-return -Wbad-function-cast -Wcast-qual -Wundef -Wredundant-decls -Wdisabled-optimization -Wfloat-equal -Wmultichar -Wc++-compat -Wmissing-noreturn -Wall -Wstrict-prototypes + -g -D_THREAD_SAFE -pthread -g -O3 -Wall -MD -D_FORTIFY_SOURCE=2 -Wpointer-arith -Wshadow -Wwrite-strings -Wcast-align -Wredundant-decls -Wdisabled-optimization -Wfloat-equal -Wmultichar -Wmissing-noreturn -Woverloaded-virtual -Wsign-promo -funit-at-a-time -Weffc++ -std=c++11 -Wall -MD -D_FORTIFY_SOURCE=2 -Wpointer-arith -Wshadow -Wwrite-strings -Wcast-align -Wredundant-decls -Wdisabled-optimization -Wfloat-equal -Wmultichar -Wmissing-noreturn -Woverloaded-virtual -Wsign-promo -funit-at-a-time -Weffc++ + -L/usr/local/lib -L/usr/local/lib + -lpython2.7 -lpython2.7 -lpcap -lbz2 -lexpat -lsqlite3 -lcrypto -lssl -lcrypto -ldl -lz + 2019-10-11T01:16:58 + + + + + Darwin + 19.6.0 + Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 + Micheles-MBP.local + x86_64 + tcpflow -c -i any port 8080 + 0 + root + 2020-11-03T15:32:30Z + + + + + 0 + + + ::1.08080-::1.53199 + 214372 + + + + ::1.08080-::1.53223 + 73584 + + + + ::1.08080-::1.53224 + 738274 + + + + ::1.08080-::1.53225 + 175020 + + + + ::1.08080-::1.53226 + 156296 + + + + ::1.08080-::1.53227 + 125580 + + + + ::1.08080-::1.53232 + 1220 + + + + ::1.08080-::1.53351 + 2440 + + + + ::1.08080-::1.53355 + 26250 + + + + 127.000.000.001.08080-127.000.000.001.53609 + 7550 + + + + ::1.53633-::1.08080 + 1480 + + + + 127.000.000.001.08080-127.000.000.001.53641 + 3286 + + + + ::1.08080-::1.53634 + 331886 + + + + ::1.08080-::1.53636 + 950 + + + + ::1.08080-::1.53635 + 610055 + + + + ::1.08080-::1.53637 + 231604 + + + + ::1.08080-::1.53638 + 126040 + + + + ::1.08080-::1.53639 + 165006 + + + + ::1.08080-::1.53640 + 188944 + + + + 127.000.000.001.08080-127.000.000.001.53658 + 3284 + + + + 127.000.000.001.08080-127.000.000.001.53662 + 7550 + + + + 127.000.000.001.08080-127.000.000.001.53695 + 6292 + + + + ::1.08080-::1.53643 + 1672152 + + + + ::1.08080-::1.53644 + 1540618 + + + + ::1.08080-::1.53645 + 680702 + + + + ::1.08080-::1.53647 + 1777902 + + + + ::1.08080-::1.53646 + 951764 + + + + ::1.08080-::1.53648 + 409013 + + + + ::1.08080-::1.53689 + 26698 + + + + 127.000.000.001.08080-127.000.000.001.53704 + 4678 + + + + 127.000.000.001.08080-127.000.000.001.53706 + 4678 + + + + 127.000.000.001.53774-127.000.000.001.08080 + 1136 + + + + 127.000.000.001.08080-127.000.000.001.53775 + 926 + + + + 127.000.000.001.08080-127.000.000.001.53870 + 4678 + + + + ::1.08080-::1.53777 + 950 + + + + ::1.08080-::1.53776 + 495102 + + + + ::1.08080-::1.53780 + 461951 + + + + ::1.08080-::1.53779 + 216914 + + + + ::1.08080-::1.53778 + 59326 + + + + ::1.08080-::1.53703 + 766 + + + + ::1.08080-::1.53705 + 253782 + + + + 127.000.000.001.53870-127.000.000.001.08080 + 2796 + + + + ::1.53780-::1.08080 + 3284 + + + + 127.000.000.001.53609-127.000.000.001.08080 + 396 + + + + 127.000.000.001.53706-127.000.000.001.08080 + 2796 + + + + 127.000.000.001.53704-127.000.000.001.08080 + 2796 + + + + ::1.53689-::1.08080 + 1600 + + + + 127.000.000.001.53662-127.000.000.001.08080 + 396 + + + + ::1.53705-::1.08080 + 8304 + + + + 127.000.000.001.53658-127.000.000.001.08080 + 2796 + + + + ::1.53645-::1.08080 + 16711 + + + + ::1.53644-::1.08080 + 15876 + + + + ::1.53643-::1.08080 + 40162 + + + + 127.000.000.001.53641-127.000.000.001.08080 + 2798 + + + + ::1.53640-::1.08080 + 1496 + + + + ::1.53639-::1.08080 + 4478 + + + + ::1.53703-::1.08080 + 1510 + + + + 127.000.000.001.08080-127.000.000.001.53774 + 3752 + + + + ::1.53199-::1.08080 + 5152 + + + + ::1.53776-::1.08080 + 4828 + + + + ::1.53635-::1.08080 + 4480 + + + + 127.000.000.001.53775-127.000.000.001.08080 + 1660 + + + + ::1.53634-::1.08080 + 12734 + + + + 0 + + + + ::1.53632-::1.08080 + 1480 + + + + ::1.53778-::1.08080 + 3244 + + + + ::1.53637-::1.08080 + 6146 + + + + ::1.53646-::1.08080 + 19846 + + + + ::1.53355-::1.08080 + 3858 + + + + ::1.53351-::1.08080 + 3284 + + + + ::1.53779-::1.08080 + 4870 + + + + ::1.53638-::1.08080 + 4542 + + + + ::1.53647-::1.08080 + 19552 + + + + ::1.53224-::1.08080 + 5162 + + + + ::1.53223-::1.08080 + 6972 + + + + 127.000.000.001.53695-127.000.000.001.08080 + 3146 + + + + ::1.53648-::1.08080 + 13112 + + + + ::1.08080-::1.53633 + 26366 + + + + ::1.53225-::1.08080 + 6974 + + + + ::1.53232-::1.08080 + 1688 + + + + ::1.53777-::1.08080 + 3268 + + + + ::1.53636-::1.08080 + 3034 + + + + ::1.53226-::1.08080 + 5122 + + + + ::1.53227-::1.08080 + 5296 + + + + + 0 + 0 + 84 + 43 + 4098 + + 0.907236 + 0.389275 + 2375680 + 766 + 13 + 0 + 0 + 0 + 585.519673 + + diff --git a/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/WebSecurityConfig.java b/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/WebSecurityConfig.java index 283f0427..cb352827 100644 --- a/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/WebSecurityConfig.java +++ b/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/WebSecurityConfig.java @@ -1,78 +1,70 @@ package eu.dnetlib.organizations; -import javax.sql.DataSource; - -import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; -import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -import org.springframework.security.crypto.factory.PasswordEncoderFactories; -import org.springframework.security.crypto.password.PasswordEncoder; -import org.springframework.security.web.access.AccessDeniedHandler; - -import eu.dnetlib.organizations.controller.UserRole; @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { - @Autowired - private DataSource dataSource; + // @Autowired + // private DataSource dataSource; - @Autowired - private AccessDeniedHandler accessDeniedHandler; + // @Autowired + // private AccessDeniedHandler accessDeniedHandler; @Value("${openaire.api.valid.subnet}") private String openaireApiValidSubnet; + // @Autowired + // private ClientRegistrationRepository clientRegistrationRepository; + @Override protected void configure(final HttpSecurity http) throws Exception { - http.csrf() - .disable() - .authorizeRequests() - .antMatchers("/", "/api/**") - .hasAnyRole(UserRole.ADMIN.name(), UserRole.NATIONAL_ADMIN.name(), UserRole.USER.name()) - .antMatchers("/registration_api/**") - .hasRole(UserRole.NOT_AUTHORIZED.name()) - .antMatchers("/resources/**", "/webjars/**") - .permitAll() - .antMatchers("/oa_api/**") - .hasIpAddress(openaireApiValidSubnet) + http.authorizeRequests() .anyRequest() .authenticated() .and() - .formLogin() - .loginPage("/login") - .permitAll() - .and() - .logout() - .permitAll() - .and() - .exceptionHandling() - .accessDeniedHandler(accessDeniedHandler); + .oauth2Login(); } - @Autowired - public void configureGlobal(final AuthenticationManagerBuilder auth) throws Exception { - auth.jdbcAuthentication() - .dataSource(dataSource) - .usersByUsernameQuery("select ?, '{MD5}60c4a0eb167dd41e915a885f582414df', true") // TODO: this is a MOCK, the user should - // be authenticated using the openaire - // credentials - .authoritiesByUsernameQuery("with const as (SELECT ? as email) " - + "select c.email, 'ROLE_'||coalesce(u.role, '" - + UserRole.NOT_AUTHORIZED - + "') from const c left outer join users u on (u.email = c.email)"); - } + /* + * @Bean public ClientRegistration.Builder clientRegistration() { final Map metadata = new HashMap<>(); + * metadata.put("end_session_endpoint", "https://jhipster.org/logout"); + * + * return ClientRegistration.withRegistrationId("oidc") .redirectUriTemplate("{baseUrl}/{action}/oauth2/code/{registrationId}") + * .clientAuthenticationMethod(ClientAuthenticationMethod.BASIC) .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) + * .scope("read:user") .authorizationUri("https://jhipster.org/login/oauth/authorize") + * .tokenUri("https://jhipster.org/login/oauth/access_token") .jwkSetUri("https://jhipster.org/oauth/jwk") + * .userInfoUri("https://api.jhipster.org/user") .providerConfigurationMetadata(metadata) .userNameAttributeName("id") + * .clientName("Client Name") .clientId("client-id") .clientSecret("client-secret"); } + */ - @Bean - public PasswordEncoder passwordEncoder() { - return PasswordEncoderFactories.createDelegatingPasswordEncoder(); - } + /* + * @Autowired public void configureGlobal(final AuthenticationManagerBuilder auth) throws Exception { auth.jdbcAuthentication() + * .dataSource(dataSource) .usersByUsernameQuery("select ?, '{MD5}60c4a0eb167dd41e915a885f582414df', true") // TODO: this is a MOCK, the + * user should // be authenticated using the openaire // credentials .authoritiesByUsernameQuery("with const as (SELECT ? as email) " + + * "select c.email, 'ROLE_'||coalesce(u.role, '" + UserRole.NOT_AUTHORIZED + + * "') from const c left outer join users u on (u.email = c.email)"); } + * + * @Bean public PasswordEncoder passwordEncoder() { return PasswordEncoderFactories.createDelegatingPasswordEncoder(); } + */ + + // https://www.baeldung.com/spring-security-openid-connect + + // https://github.com/mitreid-connect/ + // https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/tree/master/openid-connect-client + // https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Client-configuration + + // https://svn.driver.research-infrastructures.eu/driver/dnet45/modules/uoa-login-core/trunk/ + // https://svn.driver.research-infrastructures.eu/driver/dnet45/modules/uoa-user-management/trunk/ + // https://svn.driver.research-infrastructures.eu/driver/dnet45/modules/dnet-openaire-users/trunk/ + // https://svn.driver.research-infrastructures.eu/driver/dnet45/modules/dnet-login/trunk/ + + // Aprire Ticket a GRNET con Argiro e Katerina come watchers } diff --git a/apps/dnet-orgs-database-application/src/main/resources/application.properties b/apps/dnet-orgs-database-application/src/main/resources/application.properties index 878c1797..d346291c 100644 --- a/apps/dnet-orgs-database-application/src/main/resources/application.properties +++ b/apps/dnet-orgs-database-application/src/main/resources/application.properties @@ -1,3 +1,5 @@ +server.port=8480 + spring.main.banner-mode = off logging.level.root = INFO @@ -21,4 +23,25 @@ spring.jpa.properties.hibernate.format_sql=false openaire.api.valid.subnet = 10.19.65.0/24 openaire.api.https.proxy = 10.19.65.35 +spring.security.oauth2.client.registration.oidc.provider = oidc +spring.security.oauth2.client.registration.oidc.client-id = 964b69cd-4658-4251-a153-edfadfaf15aa +spring.security.oauth2.client.registration.oidc.client-secret = ALsqw6oBp7J0JOYmWExlT6PMN3R8-j413KOipsDZJVOPv1EfMwHfiDhvsa96gkiU8YmIpGmJgLDkDycvQp30QiE +spring.security.oauth2.client.registration.oidc.scope = openid,email + +spring.security.oauth2.client.provider.oidc.issuer-uri = http://localhost:8080/openid-connect-server-webapp/ +spring.security.oauth2.client.provider.oidc.authorization-uri = http://localhost:8080/openid-connect-server-webapp/authorize +spring.security.oauth2.client.provider.oidc.jwk-set-uri = http://localhost:8080/openid-connect-server-webapp/jwk +spring.security.oauth2.client.provider.oidc.token-uri = http://localhost:8080/openid-connect-server-webapp/token +spring.security.oauth2.client.provider.oidc.user-info-uri = http://localhost:8080/openid-connect-server-webapp/userinfo + + +#spring.security.oauth2.client.provider.oidc.user-info-authentication-method= +#spring.security.oauth2.client.provider.oidc.user-name-attribute= + + +#spring.security.oauth2.client.registration.google.client-secret = +#spring.security.oauth2.client.registration.google.client-id = + +#spring.security.oauth2.client.registration.github.client-secret = +#spring.security.oauth2.client.registration.github.client-id = diff --git a/apps/dnet-orgs-database-application/src/main/resources/templates/home.html b/apps/dnet-orgs-database-application/src/main/resources/templates/home.html index ed779b6b..143d50aa 100644 --- a/apps/dnet-orgs-database-application/src/main/resources/templates/home.html +++ b/apps/dnet-orgs-database-application/src/main/resources/templates/home.html @@ -111,7 +111,7 @@ fieldset > legend { font-size : 1.2rem !important; }