diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index f32665b33..2cc488bd7 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -33,7 +33,7 @@ jobs: with: java-version: 11 - name: Build User service - run: mvn -B verify --file user-service/pom.xml + run: mvn -B verify -Pprod --file user-service/pom.xml build-assertion-service: runs-on: ubuntu-latest diff --git a/user-service/src/main/java/org/orcid/memberportal/service/user/config/UaaConfiguration.java b/user-service/src/main/java/org/orcid/memberportal/service/user/config/UaaConfiguration.java index 4c2605b38..b983da69d 100644 --- a/user-service/src/main/java/org/orcid/memberportal/service/user/config/UaaConfiguration.java +++ b/user-service/src/main/java/org/orcid/memberportal/service/user/config/UaaConfiguration.java @@ -12,8 +12,6 @@ import org.orcid.memberportal.service.user.security.AuthoritiesConstants; import org.orcid.memberportal.service.user.security.PasswordTokenGranter; import org.orcid.memberportal.service.user.services.UserService; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import org.springframework.beans.BeansException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; @@ -58,8 +56,6 @@ public class UaaConfiguration extends AuthorizationServerConfigurerAdapter imple */ private static final int MIN_ACCESS_TOKEN_VALIDITY_SECS = 60; - private static final Logger LOG = LoggerFactory.getLogger(UaaConfiguration.class); - private ApplicationContext applicationContext; @Autowired @@ -88,13 +84,13 @@ public ResourceServerConfiguration(TokenStore tokenStore, JHipsterProperties jHi @Override public void configure(HttpSecurity http) throws Exception { http.exceptionHandling().authenticationEntryPoint((request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED)).and().csrf() - .disable().addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class).headers().frameOptions().disable().and().sessionManagement() - .sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests().antMatchers("/api/register").permitAll() - .antMatchers("/api/activate").permitAll().antMatchers("/api/authenticate").permitAll().antMatchers("/api/account/reset-password/init").permitAll() - .antMatchers("/api/account/reset-password/finish").permitAll().antMatchers("/api/account/reset-password/validate").permitAll() - .antMatchers("/api/users/**/resendActivation").permitAll().antMatchers("/api/**").authenticated().antMatchers("/management/health").permitAll() - .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/v2/api-docs/**").permitAll() - .antMatchers("/swagger-resources/configuration/ui").permitAll().antMatchers("/swagger-ui/index.html").hasAuthority(AuthoritiesConstants.ADMIN); + .disable().addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class).headers().frameOptions().disable().and().sessionManagement() + .sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests().antMatchers("/api/register").permitAll() + .antMatchers("/api/activate").permitAll().antMatchers("/api/authenticate").permitAll().antMatchers("/api/account/reset-password/init").permitAll() + .antMatchers("/api/account/reset-password/finish").permitAll().antMatchers("/api/account/reset-password/validate").permitAll() + .antMatchers("/api/users/**/resendActivation").permitAll().antMatchers("/api/**").authenticated().antMatchers("/management/health").permitAll() + .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/v2/api-docs/**").permitAll() + .antMatchers("/swagger-resources/configuration/ui").permitAll().antMatchers("/swagger-ui/index.html").hasAuthority(AuthoritiesConstants.ADMIN); } @Override @@ -122,13 +118,13 @@ public void configure(ClientDetailsServiceConfigurer clients) throws Exception { int refreshTokenValidity = uaaProperties.getWebClientConfiguration().getRefreshTokenValidityInSecondsForRememberMe(); refreshTokenValidity = Math.max(refreshTokenValidity, accessTokenValidity); clients.inMemory().withClient(uaaProperties.getWebClientConfiguration().getClientId()) - .secret(passwordEncoder.encode(uaaProperties.getWebClientConfiguration().getSecret())).scopes("openid").autoApprove(true) - .authorizedGrantTypes("implicit", "refresh_token", "password", "authorization_code").accessTokenValiditySeconds(accessTokenValidity) - .refreshTokenValiditySeconds(refreshTokenValidity).and().withClient(jHipsterProperties.getSecurity().getClientAuthorization().getClientId()) - .secret(passwordEncoder.encode(jHipsterProperties.getSecurity().getClientAuthorization().getClientSecret())).scopes("web-app").authorities("ROLE_ADMIN") - .autoApprove(true).authorizedGrantTypes("client_credentials") - .accessTokenValiditySeconds((int) jHipsterProperties.getSecurity().getAuthentication().getJwt().getTokenValidityInSeconds()) - .refreshTokenValiditySeconds((int) jHipsterProperties.getSecurity().getAuthentication().getJwt().getTokenValidityInSecondsForRememberMe()); + .secret(passwordEncoder.encode(uaaProperties.getWebClientConfiguration().getSecret())).scopes("openid").autoApprove(true) + .authorizedGrantTypes("implicit", "refresh_token", "password", "authorization_code").accessTokenValiditySeconds(accessTokenValidity) + .refreshTokenValiditySeconds(refreshTokenValidity).and().withClient(jHipsterProperties.getSecurity().getClientAuthorization().getClientId()) + .secret(passwordEncoder.encode(jHipsterProperties.getSecurity().getClientAuthorization().getClientSecret())).scopes("web-app").authorities("ROLE_ADMIN") + .autoApprove(true).authorizedGrantTypes("client_credentials") + .accessTokenValiditySeconds((int) jHipsterProperties.getSecurity().getAuthentication().getJwt().getTokenValidityInSeconds()) + .refreshTokenValiditySeconds((int) jHipsterProperties.getSecurity().getAuthentication().getJwt().getTokenValidityInSecondsForRememberMe()); } @Override @@ -156,8 +152,7 @@ public DefaultTokenServices tokenServices() { private TokenGranter tokenGranter(final AuthorizationServerEndpointsConfigurer endpoints) { PasswordTokenGranter passwordTokenGranter = new PasswordTokenGranter(endpoints, authenticationManager, userService, tokenServices()); RefreshTokenGranter refreshTokenGranter = new RefreshTokenGranter(tokenServices(), endpoints.getClientDetailsService(), endpoints.getOAuth2RequestFactory()); - ClientCredentialsTokenGranter clientCredentialsTokenGranter = new ClientCredentialsTokenGranter(tokenServices(), endpoints.getClientDetailsService(), - endpoints.getOAuth2RequestFactory()); + ClientCredentialsTokenGranter clientCredentialsTokenGranter = new ClientCredentialsTokenGranter(tokenServices(), endpoints.getClientDetailsService(), endpoints.getOAuth2RequestFactory()); return new CompositeTokenGranter(Arrays.asList(passwordTokenGranter, refreshTokenGranter, clientCredentialsTokenGranter)); } @@ -167,7 +162,7 @@ private TokenGranter tokenGranter(final AuthorizationServerEndpointsConfigurer e /** * Apply the token converter (and enhancer) for token store. - * + * * @return the {@link JwtTokenStore} managing the tokens. */ @Bean @@ -180,19 +175,23 @@ public JwtTokenStore tokenStore() { * JWT access tokens and Authentication in both directions. * * @return an access token converter configured with the authorization - * server's public/private keys. + * server's public/private keys. */ @Bean public JwtAccessTokenConverter jwtAccessTokenConverter() { - JwtAccessTokenConverter converter = new JwtAccessTokenConverter(); - try { - KeyPair keyPair = new KeyStoreKeyFactory(new FileUrlResource(uaaProperties.getKeyStore().getName()), - uaaProperties.getKeyStore().getPassword().toCharArray()).getKeyPair(uaaProperties.getKeyStore().getAlias()); - converter.setKeyPair(keyPair); - } catch (MalformedURLException e) { - throw new RuntimeException("Error creating keystore factory", e); + if (uaaProperties.getKeyStore().getName() != null) { + JwtAccessTokenConverter converter = new JwtAccessTokenConverter(); + try { + KeyPair keyPair = new KeyStoreKeyFactory(new FileUrlResource(uaaProperties.getKeyStore().getName()), + uaaProperties.getKeyStore().getPassword().toCharArray()).getKeyPair(uaaProperties.getKeyStore().getAlias()); + converter.setKeyPair(keyPair); + } catch (MalformedURLException e) { + throw new RuntimeException("Error creating keystore factory", e); + } + return converter; + } else { + return null; } - return converter; } public class RefreshTokenConverter extends JwtAccessTokenConverter { @@ -200,7 +199,7 @@ public RefreshTokenConverter() { super(); try { KeyPair keyPair = new KeyStoreKeyFactory(new FileUrlResource(uaaProperties.getKeyStore().getName()), - uaaProperties.getKeyStore().getPassword().toCharArray()).getKeyPair(uaaProperties.getKeyStore().getAlias()); + uaaProperties.getKeyStore().getPassword().toCharArray()).getKeyPair(uaaProperties.getKeyStore().getAlias()); super.setKeyPair(keyPair); } catch (MalformedURLException e) { throw new RuntimeException("Error creating keystore factory", e); diff --git a/user-service/src/test/java/org/orcid/memberportal/service/user/config/SecurityBeanOverrideConfiguration.java b/user-service/src/test/java/org/orcid/memberportal/service/user/config/SecurityBeanOverrideConfiguration.java index 64b2aad1f..ea245918a 100644 --- a/user-service/src/test/java/org/orcid/memberportal/service/user/config/SecurityBeanOverrideConfiguration.java +++ b/user-service/src/test/java/org/orcid/memberportal/service/user/config/SecurityBeanOverrideConfiguration.java @@ -1,6 +1,5 @@ package org.orcid.memberportal.service.user.config; -import org.springframework.boot.test.context.TestConfiguration; import org.springframework.cloud.client.loadbalancer.RestTemplateCustomizer; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; @@ -14,7 +13,7 @@ * configuration must be included in {@code @SpringBootTest} in order to take * effect. */ -@TestConfiguration +@Configuration public class SecurityBeanOverrideConfiguration { @Bean diff --git a/user-service/src/test/resources/config/application.yml b/user-service/src/test/resources/config/application.yml index b197f34c0..1c179bdd0 100644 --- a/user-service/src/test/resources/config/application.yml +++ b/user-service/src/test/resources/config/application.yml @@ -86,20 +86,6 @@ jhipster: enabled: true report-frequency: 60 # in seconds -uaa: - key-store: - name: src/test/resources/keystore.p12 - password: password - alias: userservicetest - web-client-configuration: - # Access Token is valid for 5 mins - access-token-validity-in-seconds: 300 - # Refresh Token is valid for 7 days - refresh-token-validity-in-seconds-for-remember-me: 604800 - #change client secret in production, keep in sync with gateway configuration - client-id: web_app - secret: changeit - # =================================================================== # Application specific properties # Add your own application properties here, see the ApplicationProperties class diff --git a/user-service/src/test/resources/keystore.p12 b/user-service/src/test/resources/keystore.p12 deleted file mode 100644 index 839fdbc9b..000000000 Binary files a/user-service/src/test/resources/keystore.p12 and /dev/null differ