Tidying up before 5.2.1. Found missing documentation and some issues …

…with reading the client management configuration. Added more testing scripts.
ncsa · Aug 23, 2021 · 8bc35fe · 8bc35fe
1 parent 1f74b8e
commit 8bc35fe
Show file tree

Hide file tree

Showing 28 changed files with 874 additions and 182 deletions.
diff --git a/.idea/workspace.xml b/.idea/workspace.xml
diff --git a/oa4mp-qdl/buildNumber.properties b/oa4mp-qdl/buildNumber.properties
@@ -1,3 +1,3 @@
 #maven.buildNumber.plugin properties file
-#Thu Aug 19 20:01:06 CDT 2021
-buildNumber\\d*=3994
+#Mon Aug 23 16:08:26 CDT 2021
+buildNumber\\d*=4011
diff --git a/oa4mp-server-admin-oauth2/src/main/resources/testing/testing-readme.txt b/oa4mp-server-admin-oauth2/src/main/resources/testing/testing-readme.txt
@@ -398,6 +398,7 @@ TO DO:
        If this fails, the system is not working at a basic level.
 
 * Put on test.
+   (Deprecated since the portal this requires was shutdown.)
 -- localhost kubernetes install. This is located in the ~/.kube directory.
    Note that the endpoint here points to test.cilogon.org and is usually not
    available. Contact Dmitry to enable it for testing.

diff --git a/oa4mp-server-admin-oauth2/src/main/scripts/oidc-cm-scripts/anon/cm-get2.sh b/oa4mp-server-admin-oauth2/src/main/scripts/oidc-cm-scripts/anon/cm-get2.sh
@@ -0,0 +1,17 @@
+# A script that performs a cURL call to an OA4MP server that has the client management API enabled on it.
+# This script will issue a GET to then endpoint and the response will be a JSON object containing
+# the properties for the client.
+# You MUST register and have approved an admin client for this to work.  This script sets all the headers and such
+# you need to do and monitors the response.
+#
+# E.g.
+# ./cm-get.sh create.json
+#
+# response is a JSON object, echo-ed to the command line and stored in the local file output.json.
+
+source ./cm-setenv2.sh
+
+curl -k -X GET -H "Authorization: Bearer $BEARER_TOKEN"  $REGISTRATION_URI> output.json
+cat output.json
+
+
diff --git a/oa4mp-server-admin-oauth2/src/main/scripts/oidc-cm-scripts/anon/cm-post2.sh b/oa4mp-server-admin-oauth2/src/main/scripts/oidc-cm-scripts/anon/cm-post2.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+# A script that performs a cURL call to an OA4MP server that has the client management API enabled on it.
+# This will issue a POST to the endpoint (as per RFC 7591) and will create a new client on the server
+# from the given JSON object.
+# Note that is for the case where anonymous requests to this service are allowed.
+# No admin client is needed and server policies (typically that the client is not
+# approved until vetted by the system administrator) or in effect. This is no different
+# than going to the registration endpoint for the server and filling out the form.
+# E.g.
+# ./cm-post2.sh create.json
+#
+# response is a standard compliant JSON object with the id, secret a registration endpoint for future operations on this client,
+# and perhaps other information relating to the server's management (such as when the id was issued or perhaps
+# when it expires).
+# OA4MP does nto alloow clients to update or delete themselves.
+
+source ./cm-setenv2.sh
+
+
+curl -k -X POST  -H "Content-Type: application/json; charset=UTF-8" --data @$1 $SERVER > output.json
+cat output.json
+
+
diff --git a/oa4mp-server-admin-oauth2/src/main/scripts/oidc-cm-scripts/anon/cm-setenv2.sh b/oa4mp-server-admin-oauth2/src/main/scripts/oidc-cm-scripts/anon/cm-setenv2.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+# This file contains the environment variables for the service. Set them here and they should
+# get picked up by each script as needed (this assumes everything is being run from the current
+# directory).
+
+# Tip: If you are working with several different clients, you may want to comment out the
+# setting REGISTRATION_URI so it does not get set to what is here.
+
+# export SERVER=https://cilogon.org/oauth2/oidc-cm
+# export CLIENT_ID=put-your-id-here
+# export CLIENT_SECRET=put-your-secret-here
+# export REGISTRATION_URI="https://cilogon.org/oauth2/oidc-cm?client_id=put-client-id-here"
+
+# We set the bearer token here so it is available subsequently. This is the least problematic way to
+# do this since it is easy to get the escaping wrong.
+
+# Next line is for debugging. Just remove it if it is here and set your own values above.
+source /home/ncsa/dev/csd/config/oidc-cm-setenv2.sh
+
+# Slightly kludgy: There is NO bash way to URL encode/decode at the command line.
+# At least without a substantial detour to something like sed
+# and a very messy (as in fragile) reg ex.
+# The spec says the bearer token is
+# base64_encode(url_encode(CLIENT_ID):url_encode(CLIENT_SECRET))
+# In point of fact, OA4MP ids and tokens are invariant under url decode:
+# CLIENT_ID == url_decode(CLIENT_ID), CLIENT_SECRET == url_decode(CLIENT_SECRET)
+# which we use here.
+# So if this ever breaks because the ids or secrets change, this is why.
+
+export BEARER_TOKEN=$(echo -n $CLIENT_ID:$CLIENT_SECRET | base64 -w 0)
diff --git a/oa4mp-server-admin-oauth2/src/main/scripts/oidc-cm-scripts/anon/create-extra.json b/oa4mp-server-admin-oauth2/src/main/scripts/oidc-cm-scripts/anon/create-extra.json
@@ -0,0 +1,41 @@
+{
+  "comment": ["This is an example to show how to send extra attributes, here the cfg parameter.",
+    "See the readme.txt for more. For anonymous client this MUST always fail since QDL is not allowed."
+    ],
+  "application_type": "web",
+  "redirect_uris": [
+    "http://localhost/callback"
+  ],
+  "grant_types": [
+    "authorization_code",
+    "refresh_token"
+  ],
+  "response_types": [
+    "code",
+    "id_token"
+  ],
+  "client_name": "OA4MP extra attributes test - creation",
+  "scope": "openid email",
+  "contacts": [
+    "bob@bigstate.edu"
+  ],
+  "extra_attribute1": "some extra attribute",
+  "extra_attribute2": "my totally cool secret thingie",
+  "cfg": {
+    "qdl": [
+      "a",
+      "b"
+    ],
+    "claims": {
+      "sourceConfig": {
+        "foo": "bar"
+      },
+      "postProcessor": {
+        "fnord": "postP"
+      },
+      "preProcessor": {
+        "fnord2": "preP"
+      }
+    }
+  }
+}
diff --git a/oa4mp-server-admin-oauth2/src/main/scripts/oidc-cm-scripts/anon/create-public.json b/oa4mp-server-admin-oauth2/src/main/scripts/oidc-cm-scripts/anon/create-public.json
@@ -0,0 +1,21 @@
+{
+  "comment": [
+    "This is a basic example from the specification to test if a public client has been created correctly",
+    "Note that this also includes a refresh token lifetime parameter (rt_lifetime). Omitting this disables refresh tokens.",
+    "The lifetime is in seconds.",
+    "To create a public client, the scope must be 'openid' and the auth method must be 'none'."
+    ],
+  "redirect_uris": [
+    "http://localhost/callback",
+        "http://localhost/callback2",
+        "http://localhost/callback3"
+  ],
+  "client_name": "Another test client",
+  "scope": "openid",
+  "token_endpoint_auth_method": "none",
+  "contacts": [
+    "your.email@here.org"
+  ],
+  "rt_lifetime" :2592000,
+  "at_lifetime" :900
+}
diff --git a/oa4mp-server-admin-oauth2/src/main/scripts/oidc-cm-scripts/anon/create.json b/oa4mp-server-admin-oauth2/src/main/scripts/oidc-cm-scripts/anon/create.json
@@ -0,0 +1,28 @@
+{
+  "comment": "This is a basic example from the specification to test if a client has been created correctly",
+  "application_type": "web",
+  "redirect_uris": [
+    "https://client.example.org/callback",
+    "https://client.example.org/callback2"
+  ],
+  "client_name": "My Example",
+  "client_name#ja-Jpan-JP": "クライアント名",
+  "logo_uri": "https://client.example.org/logo.png",
+  "scope": ["openid", "email", "profile"],
+  "subject_type": "pairwise",
+  "sector_identifier_uri": "https://other.example.net/file_of_redirect_uris.json",
+  "token_endpoint_auth_method": "client_secret_basic",
+  "jwks_uri": "https://client.example.org/my_public_keys.jwks",
+  "userinfo_encrypted_response_alg": "RSA1_5",
+  "userinfo_encrypted_response_enc": "A128CBC-HS256",
+  "contacts": [
+    "ve7jtb@example.org",
+    "mary@example.org"
+  ],
+  "request_uris": [
+    "https://client.example.org/rf.txt#qpXaRLh_n93TTR9F252ValdatUQvQiJi5BDub2BeznA"
+  ],
+  "at_lifetime":1009,
+  "rt_lifetime":1000000,
+  "strict_scopes":false
+}
diff --git a/oa4mp-server-admin-oauth2/src/main/scripts/oidc-cm-scripts/anon/readme.txt b/oa4mp-server-admin-oauth2/src/main/scripts/oidc-cm-scripts/anon/readme.txt
@@ -0,0 +1,14 @@
+This directory contains scripts and testing JSON requests for doing anonymous
+client creations. That means that for POST
+
+- no admin client is needed
+- the server must be configured to do this explicitly
+- the client is not approved by default
+- server policies (such as a template) are applied.
+
+IF RFC 7592 is enabled, then the client can get itself, using its id and
+password. If RFC 7592 is not enabled, requests are rejected
+
+** No deletes or updates are allowed for any client. These must be done
+   using an admin client to preserve the trust relations.
+
diff --git a/oa4mp-server-admin-oauth2/src/main/scripts/oidc-cm-scripts/cm-setenv.sh b/oa4mp-server-admin-oauth2/src/main/scripts/oidc-cm-scripts/cm-setenv.sh
@@ -18,4 +18,14 @@
 # Next line is for debugging. Just remove it if it is here and set your own values above.
 source /home/ncsa/dev/csd/config/oidc-cm-setenv.sh
 
+# Slightly kludgy: There is NO way to URL encode/decode at the command line.
+# At least without a substantial detour to something like sed
+# and a very messy (as in fragile) reg ex.
+# The spec says the bearer token is
+# base64_encode(url_encode(ADMIN_ID):url_encode(ADMIN_SECRET))
+# In point of fact, OA4MP ids and tokens are invariant under url decode:
+# ADMIN_ID == url_decode(ADMIN_ID), ADMIN_SECRET == url_decode(ADMIN_SECRET)
+# which we use here.
+# So if this ever breaks because the ids or secrets change, this is why.
+
 export BEARER_TOKEN=$(echo -n $ADMIN_ID:$ADMIN_SECRET | base64 -w 0)
diff --git a/oa4mp-server-admin-oauth2/src/main/scripts/oidc-cm-scripts/output.json b/oa4mp-server-admin-oauth2/src/main/scripts/oidc-cm-scripts/output.json
@@ -1 +1,2 @@
-{"registration_client_uri":"https://dev.cilogon.org/oauth2/oidc-cm?client_id=cilogon:/client_id/5ae8781fa349ca8229d60e48dd0704ac","client_id":"cilogon:/client_id/5ae8781fa349ca8229d60e48dd0704ac","client_name":"My Example","redirect_uris":["https://client.example.org/callback","https://client.example.org/callback2"],"rt_lifetime":1000000,"at_lifetime":1000000,"scope":["openid","email","profile"],"client_uri":"","strict_scopes":false,"client_id_issued_at":1622230466,"contacts":["ve7jtb@example.org"],"comment":"This is a basic example from the specification to test if a client has been created correctly","client_name#ja-Jpan-JP":"???????","logo_uri":"https://client.example.org/logo.png","subject_type":"pairwise","sector_identifier_uri":"https://other.example.net/file_of_redirect_uris.json","jwks_uri":"https://client.example.org/my_public_keys.jwks","userinfo_encrypted_response_alg":"RSA1_5","userinfo_encrypted_response_enc":"A128CBC-HS256","request_uris":["https://client.example.org/rf.txt#qpXaRLh_n93TTR9F252ValdatUQvQiJi5BDub2BeznA"]}
+error="invalid_request"
+error_description="no+such+client"
diff --git a/...-loader-oauth2/src/main/java/edu/uiuc/ncsa/myproxy/oa4mp/oauth2/claims/FSClaimSource.java b/...-loader-oauth2/src/main/java/edu/uiuc/ncsa/myproxy/oa4mp/oauth2/claims/FSClaimSource.java
@@ -17,6 +17,8 @@
 /**
  * A claim source backed by a file system. The file simply contains a JSON object of userids and attributes
  * associated with that id. These are then returned as claims.
+ * Alternately, the JSON itself can just be set and used. This is how QDL utilities do it so
+ * they can fetch the JSON from a virtual file system.
  * <p>Created by Jeff Gaynor<br>
  * on 10/21/19 at  12:49 PM
  */

diff --git a/...erver-loader-oauth2/src/main/java/edu/uiuc/ncsa/myproxy/oa4mp/oauth2/cm/CM7591Config.java b/...erver-loader-oauth2/src/main/java/edu/uiuc/ncsa/myproxy/oa4mp/oauth2/cm/CM7591Config.java
@@ -0,0 +1,40 @@
+package edu.uiuc.ncsa.myproxy.oa4mp.oauth2.cm;
+
+import edu.uiuc.ncsa.security.core.Identifier;
+
+import java.net.URI;
+
+/**
+ * <p>Created by Jeff Gaynor<br>
+ * on 8/21/21 at  4:58 PM
+ */
+public class CM7591Config extends CMConfig {
+    public CM7591Config() {
+    }
+
+    public CM7591Config(String protocol, URI uri, boolean enabled, Identifier template, boolean anonymousOK, boolean autoApprove) {
+        super(protocol, uri, enabled);
+        this.template = template;
+        this.anonymousOK = anonymousOK;
+        this.autoApprove = autoApprove;
+    }
+
+    public Identifier template = null;
+    public boolean anonymousOK = false;
+    public boolean autoApprove = false;
+    public String autoApproverName = "auto-approved"; // default
+
+    @Override
+    public String toString() {
+        return "CM7591Config{" +
+                "protocol='" + protocol + '\'' +
+                ", uri=" + uri +
+                ", enabled=" + enabled +
+                ", isConfigured=" + isConfigured +
+                ", template=" + template +
+                ", anonymousOK=" + anonymousOK +
+                ", autoApprove=" + autoApprove +
+                ", autoApproverName=" + autoApproverName +
+                '}';
+    }
+}
diff --git a/oa4mp-server-loader-oauth2/src/main/java/edu/uiuc/ncsa/myproxy/oa4mp/oauth2/cm/CMConfig.java b/oa4mp-server-loader-oauth2/src/main/java/edu/uiuc/ncsa/myproxy/oa4mp/oauth2/cm/CMConfig.java
@@ -14,7 +14,7 @@ public class CMConfig {
     public CMConfig() {
     }
 
-    public CMConfig(String protocol,  URI uri, boolean enabled) {
+    public CMConfig(String protocol, URI uri, boolean enabled) {
         this.protocol = protocol;
         this.uri = uri;
         this.enabled = enabled;
@@ -31,8 +31,9 @@ public String toString() {
                 ']';
     }
 
-    public  String protocol;
-   public  URI uri;
-   public  boolean enabled = false;
-   public  boolean isConfigured = false; // if this has been properly configured.
+    public String protocol;
+    public URI uri;
+    public boolean enabled = false;
+    public boolean isConfigured = false; // if this has been properly configured.
+
 }