Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Duplicate auth id fix #1186

Open
wants to merge 27 commits into
base: v2.1
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
5de2595
add redis test container
bennsimon Jul 6, 2022
f05f49f
overide JdbcTokenStore storeAcessToken mthd
hilpitome Feb 14, 2023
111a29b
use reflection to access private fields
hilpitome Feb 14, 2023
0853933
refactor code
hilpitome Feb 14, 2023
bea4049
apply openMRS formatter
hilpitome Feb 14, 2023
0cf4fa4
use bean in OAuth2SecurityConfig
hilpitome Feb 14, 2023
a0a528b
update version and add logging
hilpitome Feb 15, 2023
5dc1f4e
Update pom.xml
hilpitome Feb 17, 2023
e6cde50
refactor storeaAccessToken method
hilpitome Feb 20, 2023
02feef0
Merge branch 'duplicate-auth-id-fix' of github.com:opensrp/opensrp-se…
hilpitome Feb 20, 2023
690124e
Update pom.xml
hilpitome Feb 21, 2023
953575a
add extra logging
hilpitome Feb 27, 2023
de19219
Merge branch 'duplicate-auth-id-fix' of github.com:opensrp/opensrp-se…
hilpitome Feb 27, 2023
3dcb9ca
update pom version
hilpitome Feb 27, 2023
dbdbf4f
apply formatter;
hilpitome Mar 2, 2023
d24820f
log when entering storAccessToken mthd
hilpitome Mar 2, 2023
fba0d5d
init unit test for jdbctokenstore
hilpitome Mar 3, 2023
a2bf76b
create OAuth2Request instance for testing
hilpitome Mar 6, 2023
bf86f64
mock connection;
hilpitome Mar 6, 2023
e7a5c42
add env with annotations
hilpitome Mar 7, 2023
8334adc
enable redis
hilpitome Mar 7, 2023
eeb57f7
add password to TestRedisConfig
hilpitome Mar 7, 2023
638662d
init use real objects instead of mocks
hilpitome Mar 10, 2023
920f743
delete OAth2SecurityTest and update server version
hilpitome Mar 13, 2023
ccd6ecd
retrigger checks
hilpitome Mar 13, 2023
84009bb
merge with branck add-redis-test-container
hilpitome Mar 13, 2023
4ed7f57
revert test postgres settings
hilpitome Mar 13, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion configs
2 changes: 1 addition & 1 deletion pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

<artifactId>opensrp-server-web</artifactId>
<packaging>war</packaging>
<version>2.1.70.8-SNAPSHOT</version>
<version>2.1.70.9-SNAPSHOT</version>
<name>opensrp-server-web</name>
<description>OpenSRP Server Web Application</description>
<url>https://github.com/OpenSRP/opensrp-server-web</url>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,19 +1,26 @@
/**
*
*
*/
package org.opensrp.web.config.security;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.opensrp.web.config.Role;
import org.opensrp.web.security.OauthAuthenticationProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.token.AuthenticationKeyGenerator;
import org.springframework.security.oauth2.provider.token.DefaultAuthenticationKeyGenerator;
import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
import org.springframework.security.oauth2.provider.token.store.JdbcTokenStore;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
Expand All @@ -26,15 +33,15 @@
@EnableWebSecurity
@Configuration
@Profile("oauth2")
public class OAuth2SecurityConfig extends BasicAuthSecurityConfig{
public class OAuth2SecurityConfig extends BasicAuthSecurityConfig {

@Autowired
private OauthAuthenticationProvider opensrpAuthenticationProvider;

@Autowired
private ClientDetailsService clientDetailsService;

@Qualifier( value = "openSRPDataSource")
@Qualifier(value = "openSRPDataSource")
@Autowired
private DataSource dataSource;

Expand Down Expand Up @@ -67,14 +74,13 @@ protected void configure(HttpSecurity http) throws Exception {
/* @formatter:on */
}


@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(opensrpAuthenticationProvider).eraseCredentials(false);
}
}

public DefaultTokenServices tokenServices() {
DefaultTokenServices tokenServices= new DefaultTokenServices();
DefaultTokenServices tokenServices = new DefaultTokenServices();
tokenServices.setTokenStore(tokenStore());
tokenServices.setSupportRefreshToken(true);
tokenServices.setClientDetailsService(clientDetailsService);
Expand All @@ -83,7 +89,23 @@ public DefaultTokenServices tokenServices() {

@Bean
public JdbcTokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
final JdbcTemplate jdbcTemplate = new JdbcTemplate(dataSource);
final AuthenticationKeyGenerator authenticationKeyGenerator = new DefaultAuthenticationKeyGenerator();
Logger logger = LogManager.getLogger(JdbcTokenStore.class.toString());
return new JdbcTokenStore(dataSource) {

@Override
public void storeAccessToken(final OAuth2AccessToken token, final OAuth2Authentication authentication) {
final String key = authenticationKeyGenerator.extractKey(authentication);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Check for null authentication.

if( key == null || authentication == null)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • I think the check for authentication needs to happen before passing the authentication object to the function
  • Evaluate and see if super needs to be called even if we skip the delete operation

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

super needs to be called since it is mostly operating on the OAuth2AccessToken token.

return;
int rowsAffected = jdbcTemplate.update("delete from oauth_access_token where authentication_id = ?", key);
String isSuccess = ( rowsAffected > 0 ) ? "Success" : "Failure";
logger.info("Attempt to delete authentication_id {} from oauth_access_token table was a {}", key, isSuccess);
super.storeAccessToken(token, authentication);
}

};
}

}