fix(config-api): smtp password decryption and encryption logic (#4161)

* fix(config-api): customObjectClass changes * fix(config-api): user custom attribute changes and agama param changes * fix(config-api): user custom attribute changes and agama param changes * fix(config-api): user custom attribute changes and agama param changes * feat(config-api): agama deployment path param change and client authorization * feat(config-api): agama deployment path param change and client authorization * feat(config-api): agama deployment path param change and client authorization * fix(config-api): smtp password decryption and encryption logic
JanssenProject · Mar 15, 2023 · 4aefb0d · 4aefb0d
1 parent 2b5ddc2
commit 4aefb0d
Show file tree

Hide file tree

Showing 5 changed files with 68 additions and 41 deletions.
diff --git a/jans-config-api/docs/jans-config-api-swagger.yaml b/jans-config-api/docs/jans-config-api-swagger.yaml
@@ -7687,17 +7687,17 @@ components:
           type: string
         whitePagesCanView:
           type: boolean
-        adminCanView:
+        adminCanEdit:
           type: boolean
         userCanView:
           type: boolean
         userCanEdit:
           type: boolean
         adminCanAccess:
           type: boolean
-        userCanAccess:
+        adminCanView:
           type: boolean
-        adminCanEdit:
+        userCanAccess:
           type: boolean
         baseDn:
           type: string
@@ -8422,8 +8422,6 @@ components:
           type: object
           additionalProperties:
             type: string
-        fapi:
-          type: boolean
         allResponseTypesSupported:
           uniqueItems: true
           type: array
@@ -8433,6 +8431,8 @@ components:
             - code
             - token
             - id_token
+        fapi:
+          type: boolean
     AuthenticationFilter:
       required:
       - baseDn
@@ -8955,6 +8955,17 @@ components:
           format: int32
         displayName:
           type: string
+        authenticationMethod:
+          type: string
+          enum:
+          - client_secret_basic
+          - client_secret_post
+          - client_secret_jwt
+          - private_key_jwt
+          - access_token
+          - tls_client_auth
+          - self_signed_tls_client_auth
+          - none
         allAuthenticationMethods:
           uniqueItems: true
           type: array
@@ -8969,17 +8980,6 @@ components:
             - tls_client_auth
             - self_signed_tls_client_auth
             - none
-        authenticationMethod:
-          type: string
-          enum:
-          - client_secret_basic
-          - client_secret_post
-          - client_secret_jwt
-          - private_key_jwt
-          - access_token
-          - tls_client_auth
-          - self_signed_tls_client_auth
-          - none
         baseDn:
           type: string
         inum:
@@ -9304,14 +9304,14 @@ components:
           type: boolean
         internal:
           type: boolean
-        locationPath:
-          type: string
         locationType:
           type: string
           enum:
           - ldap
           - db
           - file
+        locationPath:
+          type: string
         baseDn:
           type: string
     ScriptError:

diff --git a/jans-config-api/profiles/default/config-api-test.properties b/jans-config-api/profiles/default/config-api-test.properties
@@ -1,7 +1,7 @@
 # The URL of your Jans installation
 test.server=https://jenkins-config-api.gluu.org
 
-test.scopes=https://jans.io/oauth/config/acrs.readonly https://jans.io/oauth/config/acrs.write https://jans.io/oauth/config/attributes.readonly https://jans.io/oauth/config/attributes.write https://jans.io/oauth/config/attributes.delete https://jans.io/oauth/config/cache.readonly https://jans.io/oauth/config/cache.write https://jans.io/oauth/config/openid/clients.readonly https://jans.io/oauth/config/openid/clients.write https://jans.io/oauth/config/openid/clients.delete https://jans.io/oauth/jans-auth-server/config/properties.readonly https://jans.io/oauth/jans-auth-server/config/properties.write https://jans.io/oauth/config/smtp.readonly https://jans.io/oauth/config/smtp.write https://jans.io/oauth/config/smtp.delete https://jans.io/oauth/config/scripts.readonly https://jans.io/oauth/config/scripts.write https://jans.io/oauth/config/scripts.delete https://jans.io/oauth/config/fido2.readonly https://jans.io/oauth/config/fido2.write https://jans.io/oauth/config/jwks.readonly https://jans.io/oauth/config/jwks.write https://jans.io/oauth/config/jwks.delete https://jans.io/oauth/config/database/ldap.readonly https://jans.io/oauth/config/database/ldap.write https://jans.io/oauth/config/database/ldap.delete https://jans.io/oauth/config/logging.readonly https://jans.io/oauth/config/logging.write https://jans.io/oauth/config/scopes.readonly https://jans.io/oauth/config/scopes.write https://jans.io/oauth/config/scopes.delete https://jans.io/oauth/config/uma/resources.readonly https://jans.io/oauth/config/uma/resources.write https://jans.io/oauth/config/uma/resources.delete https://jans.io/oauth/config/database/sql.readonly https://jans.io/oauth/config/database/sql.write https://jans.io/oauth/config/database/sql.delete https://jans.io/oauth/config/stats.readonly jans_stat https://jans.io/scim/users.read https://jans.io/scim/users.write https://jans.io/oauth/config/scim/users.read https://jans.io/oauth/config/scim/users.write https://jans.io/scim/config.readonly https://jans.io/scim/config.write https://jans.io/oauth/config/organization.readonly https://jans.io/oauth/config/organization.write https://jans.io/oauth/config/user.readonly https://jans.io/oauth/config/user.write https://jans.io/oauth/config/user.delete https://jans.io/oauth/config/agama.readonly https://jans.io/oauth/config/agama.write https://jans.io/oauth/config/agama.delete https://jans.io/oauth/jans-auth-server/session.readonly https://jans.io/oauth/jans-auth-server/session.delete revoke_session
+test.scopes=https://jans.io/oauth/config/acrs.readonly https://jans.io/oauth/config/acrs.write https://jans.io/oauth/config/attributes.readonly https://jans.io/oauth/config/attributes.write https://jans.io/oauth/config/attributes.delete https://jans.io/oauth/config/cache.readonly https://jans.io/oauth/config/cache.write https://jans.io/oauth/config/openid/clients.readonly https://jans.io/oauth/config/openid/clients.write https://jans.io/oauth/config/openid/clients.delete https://jans.io/oauth/jans-auth-server/config/properties.readonly https://jans.io/oauth/jans-auth-server/config/properties.write https://jans.io/oauth/config/smtp.readonly https://jans.io/oauth/config/smtp.write https://jans.io/oauth/config/smtp.delete https://jans.io/oauth/config/scripts.readonly https://jans.io/oauth/config/scripts.write https://jans.io/oauth/config/scripts.delete https://jans.io/oauth/config/fido2.readonly https://jans.io/oauth/config/fido2.write https://jans.io/oauth/config/jwks.readonly https://jans.io/oauth/config/jwks.write https://jans.io/oauth/config/jwks.delete https://jans.io/oauth/config/database/ldap.readonly https://jans.io/oauth/config/database/ldap.write https://jans.io/oauth/config/database/ldap.delete https://jans.io/oauth/config/logging.readonly https://jans.io/oauth/config/logging.write https://jans.io/oauth/config/scopes.readonly https://jans.io/oauth/config/scopes.write https://jans.io/oauth/config/scopes.delete https://jans.io/oauth/config/uma/resources.readonly https://jans.io/oauth/config/uma/resources.write https://jans.io/oauth/config/uma/resources.delete https://jans.io/oauth/config/database/sql.readonly https://jans.io/oauth/config/database/sql.write https://jans.io/oauth/config/database/sql.delete https://jans.io/oauth/config/stats.readonly jans_stat https://jans.io/scim/users.read https://jans.io/scim/users.write https://jans.io/oauth/config/scim/users.read https://jans.io/oauth/config/scim/users.write https://jans.io/scim/config.readonly https://jans.io/scim/config.write https://jans.io/oauth/config/organization.readonly https://jans.io/oauth/config/organization.write https://jans.io/oauth/config/user.readonly https://jans.io/oauth/config/user.write https://jans.io/oauth/config/user.delete https://jans.io/oauth/config/agama.readonly https://jans.io/oauth/config/agama.write https://jans.io/oauth/config/agama.delete https://jans.io/oauth/jans-auth-server/session.readonly https://jans.io/oauth/jans-auth-server/session.delete revoke_session https://jans.io/oauth/config/read-all https://jans.io/oauth/config/write-all https://jans.io/oauth/config/delete-all https://jans.io/oauth/config/openid-read https://jans.io/oauth/config/openid-write https://jans.io/oauth/config/openid-delete https://jans.io/oauth/config/uma-read https://jans.io/oauth/config/uma-write https://jans.io/oauth/config/uma-delete https://jans.io/oauth/jans-auth-server/config/adminui/user/role.readonly https://jans.io/oauth/jans-auth-server/config/adminui/user/role.write https://jans.io/oauth/jans-auth-server/config/adminui/read-all https://jans.io/oauth/jans-auth-server/config/adminui/write-all https://jans.io/oauth/jans-auth-server/config/adminui/user/role.delete https://jans.io/oauth/jans-auth-server/config/adminui/delete-all https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.readonly https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.write https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.write https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.delete https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.readonly https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.write https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.delete https://jans.io/oauth/jans-auth-server/config/adminui/license.readonly https://jans.io/oauth/jans-auth-server/config/adminui/license.write https://jans.io/oauth/config/plugin.readonly https://jans.io/oauth/client/authorizations.readonly https://jans.io/oauth/client/authorizations.delete
 
 token.endpoint=https://jenkins-config-api.gluu.org/jans-auth/restv1/token
 token.grant.type=client_credentials

diff --git a/jans-config-api/profiles/local/test.properties b/jans-config-api/profiles/local/test.properties
@@ -2,8 +2,8 @@
 test.scopes=https://jans.io/oauth/config/acrs.readonly https://jans.io/oauth/config/acrs.write https://jans.io/oauth/config/attributes.readonly https://jans.io/oauth/config/attributes.write https://jans.io/oauth/config/attributes.delete https://jans.io/oauth/config/cache.readonly https://jans.io/oauth/config/cache.write https://jans.io/oauth/config/openid/clients.readonly https://jans.io/oauth/config/openid/clients.write https://jans.io/oauth/config/openid/clients.delete https://jans.io/oauth/jans-auth-server/config/properties.readonly https://jans.io/oauth/jans-auth-server/config/properties.write https://jans.io/oauth/config/smtp.readonly https://jans.io/oauth/config/smtp.write https://jans.io/oauth/config/smtp.delete https://jans.io/oauth/config/scripts.readonly https://jans.io/oauth/config/scripts.write https://jans.io/oauth/config/scripts.delete https://jans.io/oauth/config/fido2.readonly https://jans.io/oauth/config/fido2.write https://jans.io/oauth/config/jwks.readonly https://jans.io/oauth/config/jwks.write https://jans.io/oauth/config/jwks.delete https://jans.io/oauth/config/database/ldap.readonly https://jans.io/oauth/config/database/ldap.write https://jans.io/oauth/config/database/ldap.delete https://jans.io/oauth/config/logging.readonly https://jans.io/oauth/config/logging.write https://jans.io/oauth/config/scopes.readonly https://jans.io/oauth/config/scopes.write https://jans.io/oauth/config/scopes.delete https://jans.io/oauth/config/uma/resources.readonly https://jans.io/oauth/config/uma/resources.write https://jans.io/oauth/config/uma/resources.delete https://jans.io/oauth/config/database/sql.readonly https://jans.io/oauth/config/database/sql.write https://jans.io/oauth/config/database/sql.delete https://jans.io/oauth/config/stats.readonly jans_stat https://jans.io/scim/users.read https://jans.io/scim/users.write https://jans.io/oauth/config/scim/users.read https://jans.io/oauth/config/scim/users.write https://jans.io/scim/config.readonly https://jans.io/scim/config.write https://jans.io/oauth/config/organization.readonly https://jans.io/oauth/config/organization.write https://jans.io/oauth/config/user.readonly https://jans.io/oauth/config/user.write https://jans.io/oauth/config/user.delete https://jans.io/oauth/config/agama.readonly https://jans.io/oauth/config/agama.write https://jans.io/oauth/config/agama.delete https://jans.io/oauth/jans-auth-server/session.readonly https://jans.io/oauth/jans-auth-server/session.delete revoke_session https://jans.io/oauth/config/read-all https://jans.io/oauth/config/write-all https://jans.io/oauth/config/delete-all https://jans.io/oauth/config/openid-read https://jans.io/oauth/config/openid-write https://jans.io/oauth/config/openid-delete https://jans.io/oauth/config/uma-read https://jans.io/oauth/config/uma-write https://jans.io/oauth/config/uma-delete https://jans.io/oauth/jans-auth-server/config/adminui/user/role.readonly https://jans.io/oauth/jans-auth-server/config/adminui/user/role.write https://jans.io/oauth/jans-auth-server/config/adminui/read-all https://jans.io/oauth/jans-auth-server/config/adminui/write-all https://jans.io/oauth/jans-auth-server/config/adminui/user/role.delete https://jans.io/oauth/jans-auth-server/config/adminui/delete-all https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.readonly https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.write https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.write https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.delete https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.readonly https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.write https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.delete https://jans.io/oauth/jans-auth-server/config/adminui/license.readonly https://jans.io/oauth/jans-auth-server/config/adminui/license.write https://jans.io/oauth/config/plugin.readonly https://jans.io/oauth/client/authorizations.readonly https://jans.io/oauth/client/authorizations.delete  
 
 # jans.server
-token.endpoint=https://jans.server1/jans-auth/restv1/token
+token.endpoint=https://jans.server2/jans-auth/restv1/token
 token.grant.type=client_credentials
-test.client.id=1800.bf52932e-6f81-4a1b-be78-ccc0147f2a32
-test.client.secret=WBvBJiWJnfbh
-test.issuer=https://jans.server1/
+test.client.id=1800.a5e5d2d8-d379-4d68-b12a-575a84c22e04
+test.client.secret=ahqZzbPrSDcC
+test.issuer=https://jans.server2/
diff --git a/...fig-api/server/src/main/java/io/jans/configapi/rest/resource/auth/ConfigSmtpResource.java b/...fig-api/server/src/main/java/io/jans/configapi/rest/resource/auth/ConfigSmtpResource.java
@@ -67,10 +67,12 @@ public class ConfigSmtpResource extends ConfigBaseResource {
     @GET
     @ProtectedApi(scopes = { ApiAccessConstants.SMTP_READ_ACCESS }, groupScopes = {
             ApiAccessConstants.SMTP_WRITE_ACCESS }, superScopes = { ApiAccessConstants.SUPER_ADMIN_READ_ACCESS })
-    public Response getSmtpServerConfiguration() {
+    public Response getSmtpServerConfiguration() throws EncryptionException {
         SmtpConfiguration smtpConfiguration = configurationService.getConfiguration().getSmtpConfiguration();
-        log.debug(SMTP_CONFIGURATION + ":{}", smtpConfiguration);
-        return Response.ok(Objects.requireNonNullElseGet(smtpConfiguration, SmtpConfiguration::new)).build();
+        log.info(SMTP_CONFIGURATION + ":{} from DB", smtpConfiguration);
+        decryptPassword(smtpConfiguration);
+        log.info(SMTP_CONFIGURATION + ":{} fetched", smtpConfiguration);
+        return Response.ok(smtpConfiguration).build();
     }
 
     @Operation(summary = "Adds SMTP server configuration", description = "Adds SMTP server configuration", operationId = "post-config-smtp", tags = {
@@ -86,17 +88,15 @@ public Response getSmtpServerConfiguration() {
             ApiAccessConstants.SUPER_ADMIN_WRITE_ACCESS })
     public Response setupSmtpConfiguration(@Valid SmtpConfiguration smtpConfiguration) throws EncryptionException {
         log.debug(SMTP_CONFIGURATION + ":{}", smtpConfiguration);
-        String password = smtpConfiguration.getPassword();
-        if (password != null && !password.isEmpty()) {
-            smtpConfiguration.setPassword(encryptionService.encrypt(password));
-        }
-
+        encryptPassword(smtpConfiguration);
         GluuConfiguration configurationUpdate = configurationService.getConfiguration();
         log.debug("configurationUpdate:{}", configurationUpdate);
         configurationUpdate.setSmtpConfiguration(smtpConfiguration);
         configurationService.updateConfiguration(configurationUpdate);
-        return Response.status(Response.Status.CREATED)
-                .entity(configurationService.getConfiguration().getSmtpConfiguration()).build();
+        smtpConfiguration = configurationService.getConfiguration().getSmtpConfiguration();
+        decryptPassword(smtpConfiguration);
+        log.debug("After creeation " + SMTP_CONFIGURATION + ":{}", smtpConfiguration);
+        return Response.status(Response.Status.CREATED).entity(smtpConfiguration).build();
     }
 
     @Operation(summary = "Updates SMTP server configuration", description = "Updates SMTP server configuration", operationId = "put-config-smtp", tags = {
@@ -113,16 +113,15 @@ public Response setupSmtpConfiguration(@Valid SmtpConfiguration smtpConfiguratio
             ApiAccessConstants.SUPER_ADMIN_WRITE_ACCESS })
     public Response updateSmtpConfiguration(@Valid SmtpConfiguration smtpConfiguration) throws EncryptionException {
         log.debug(SMTP_CONFIGURATION + ":{}", smtpConfiguration);
-        String password = smtpConfiguration.getPassword();
-        if (password != null && !password.isEmpty()) {
-            smtpConfiguration.setPassword(encryptionService.encrypt(password));
-        }
-        log.debug(SMTP_CONFIGURATION + ":{}", smtpConfiguration);
+        encryptPassword(smtpConfiguration);
         GluuConfiguration configurationUpdate = configurationService.getConfiguration();
         log.debug("configurationUpdate:{}", configurationUpdate);
         configurationUpdate.setSmtpConfiguration(smtpConfiguration);
         configurationService.updateConfiguration(configurationUpdate);
-        return Response.ok(configurationService.getConfiguration().getSmtpConfiguration()).build();
+        smtpConfiguration = configurationService.getConfiguration().getSmtpConfiguration();
+        decryptPassword(smtpConfiguration);
+        log.debug("After update " + SMTP_CONFIGURATION + ":{}", smtpConfiguration);
+        return Response.ok(smtpConfiguration).build();
     }
 
     @Operation(summary = "Test SMTP server configuration", description = "Test SMTP server configuration", operationId = "test-config-smtp", tags = {
@@ -145,7 +144,7 @@ public Response testSmtpConfiguration() throws EncryptionException {
                 smtpConfiguration.getFromName(), smtpConfiguration.getFromEmailAddress(), null,
                 "SMTP Configuration verification", "Mail to test smtp configuration",
                 "Mail to test smtp configuration");
-        log.debug("smtpConfiguration test status:{}", status);
+        log.info("smtpConfiguration test status:{}", status);
         return Response.ok(status).build();
     }
 
@@ -165,4 +164,32 @@ public Response removeSmtpConfiguration() {
         return Response.noContent().build();
     }
 
+    private SmtpConfiguration encryptPassword(SmtpConfiguration smtpConfiguration) throws EncryptionException {
+        if (smtpConfiguration == null) {
+            return smtpConfiguration;
+        }
+        String password = smtpConfiguration.getPassword();
+        if (password != null && !password.isEmpty()) {
+            try {
+                encryptionService.decrypt(password);
+            } catch (Exception ex) {
+                log.error("Exception while decryption of smtpConfiguration password hence will encrypt it!!!");
+                smtpConfiguration.setPassword(encryptionService.encrypt(password));
+            }
+        }
+        return smtpConfiguration;
+    }
+
+    private SmtpConfiguration decryptPassword(SmtpConfiguration smtpConfiguration) throws EncryptionException {
+        if (smtpConfiguration != null) {
+            String password = smtpConfiguration.getPassword();
+            if (password != null && !password.isEmpty()) {
+                smtpConfiguration.setPassword(encryptionService.decrypt(password));
+            }
+        } else {
+            smtpConfiguration = new SmtpConfiguration();
+        }
+        return smtpConfiguration;
+    }
+
 }
diff --git a/...-config-api/server/src/main/java/io/jans/configapi/security/api/ApiProtectionService.java b/...-config-api/server/src/main/java/io/jans/configapi/security/api/ApiProtectionService.java
@@ -172,7 +172,7 @@ private List<Scope> validateScope(String resourceName, ProtectionScopeType prote
             log.debug("Re-verify ConfigApiScope rsScope.getName():{} with rsScope.getInum():{} in DB - scope:{} ",
                     rsScope.getName(), rsScope.getInum(), scope);
             if (scope == null) {
-                log.debug("Scope - '{}' does not exist, hence creating it.", scope);
+                log.info("Scope - '{}' does not exist, hence creating it.", scope);
                 // Scope does not exists hence create Scope
                 scope = new Scope();
                 String inum = rsScope.getInum();