Spring Security 5 OAuth2

.gitignore

@@ -6,6 +6,7 @@ gradle-app.setting
 .gradletasknamecache
 !**/src/main/**/build/
 !**/src/test/**/build/
+*.jks
 
 ### STS ###
 .apt_generated

CHANGELOG.md

@@ -16,6 +16,7 @@
 * [REST]: Updated synchronizing of sample data to remove sequencing objects and assemblies that no longer exist on the remote sample. See [PR 1345](https://github.com/phac-nml/irida/pull/1345)
 * [UI]: Fixed issue with filtering samples by files using a windows encoded text file causing sample name truncation. See [PR 1346](https://github.com/phac-nml/irida/pull/1346)
 * [Developer]: Fixed deleting a project with project subscriptions. See [PR 1348](https://github.com/phac-nml/irida/pull/1348)
+* [Developer]: Updated OAuth2 implemention to use Spring Security 5 OAuth2 libraries. See [PR 1339](https://github.com/phac-nml/irida/pull/1339)
 
 ## [22.05.5] - 2022/06/28
 * [UI]: Fixed bug preventing export of project samples table due to invalid url. [PR 1331](https://github.com/phac-nml/irida/pull/1331)

build.gradle.kts

@@ -121,6 +121,8 @@ dependencies {
     }
     implementation("org.springframework.boot:spring-boot-starter-validation")
     implementation("org.springframework.boot:spring-boot-starter-security")
+    implementation("org.springframework.security:spring-security-oauth2-authorization-server:0.3.1")
+    implementation("org.springframework.security:spring-security-oauth2-resource-server:5.7.2")
     implementation("org.apache.oltu.oauth2:org.apache.oltu.oauth2.client:1.0.0") {
         exclude(group = "org.slf4j")
     }
@@ -146,9 +148,6 @@ dependencies {
     implementation("org.springframework.boot:spring-boot-starter-web")
     implementation("org.springframework.boot:spring-boot-starter-web-services")
     implementation("org.springframework.boot:spring-boot-starter-hateoas")
-    implementation("org.springframework.security.oauth:spring-security-oauth2:2.3.6.RELEASE") {
-        exclude(group = "org.codehaus.jackson", module = "jackson-mapper-asl")
-    }
     implementation("commons-io:commons-io:2.11.0")
     implementation("commons-fileupload:commons-fileupload:1.4")
     implementation("org.apache.poi:poi-ooxml:5.2.2") {
@@ -266,6 +265,7 @@ tasks.war {
     exclude("entries.js")
     exclude(".eslintrc.js")
     exclude("postcss.config.js")
+    rootSpec.exclude("**/jwk-key-store.jks")
 }
 
 node {
@@ -423,6 +423,12 @@ tasks.named<BootRun>("bootRun") {
     }
 }
 
+task<Exec>("generateJWKKeyStore") {
+    workingDir(file("${projectDir}/src/main/resources"))
+    commandLine(listOf("keytool", "-genkeypair", "-alias", "JWK", "-keyalg", "RSA", "-noprompt", "-dname", "CN=irida.bioinformatics.corefacility.ca, OU=ID, O=IRIDA, L=IRIDA, S=IRIDA, C=CA", "-keystore", "jwk-key-store.jks", "-validity", "3650", "-storepass", "SECRET", "-keypass", "SECRET", "-storetype", "PKCS12"))
+    outputs.file(file("${projectDir}/src/main/resources/jwk-key-store.jks"))
+}
+
 openApi {
     outputDir.set(file("${projectDir}/doc/swagger-ui"))
     outputFileName.set("open-api.json")
@@ -434,6 +440,7 @@ tasks.processResources {
         expand(project.properties)
     }
     dependsOn(":buildWebapp")
+    dependsOn(":generateJWKKeyStore")
 }
 
 tasks.javadoc {

doc/administrator/web/config/irida.conf

@@ -18,6 +18,10 @@ file.processing.max.size=8
 file.processing.queue.capacity=512
 file.processing.process=true
 
+##### OAuth2 JWT security settings.
+# Default keystore for holding public/private keys required for OAuth2 JWK Access Token encryption/decryption
+oauth2.jwk.key-store=/etc/irida/jwk-key-store.jks
+oauth2.jwk.key-store-password=SECRET
 
 ##### The database-specific settings. Several examples of how to specify a
 ##### Hibernate driver are listed below (but commented out).

doc/administrator/web/index.md

@@ -98,6 +98,17 @@ The main configuration parameters you will need to change are:
   * `ncbi.upload.namespace` - Prefix for file upload identifiers to NCBI. The namespace is used to guarantee upload IDs are unique.  This configuration option is used as a placeholder and may still be set by the user.
 5. **Security configuration**
  * `security.password.expiry` - The number of days a password is valid for in IRIDA.  After a password expires the user will be required to create a new one.  Passwords cannot be reused.
+6. **OAuth2 JWK security configuration** - IRIDA uses JWT (Json Web Tokens) for OAuth2 and as such requires a Java Key Store with an entry stored in PKCS12 format. The key pair entry can be in either RSA or EC (curves allowed are P-256, P-384, and P-121) format. The password for the keystore must be the same as the password for the key entry (This is default for PKCS12 format). (Note: these keys have nothing to do with SSL).
+ * `oauth2.jwk.key-store=/etc/irida/jwk-key-store.jks` - The location of the Java Key Store 
+ * `oauth2.jwk.key-store-password=SECRET` - The Java Key Store password
+
+### OAuth2 JWK Java Key Store generation
+The Java Key Store required to encrypt and decrypt the JWT's can be generated with the following commands:
+```bash
+keytool -genkeypair -alias JWK -keyalg RSA -noprompt -dname "CN=irida.bioinformatics.corefacility.ca, OU=ID, O=IRIDA, L=IRIDA, S=IRIDA, C=CA" -keystore /etc/irida/jwk-key-store.jks -validity 3650 -storepass SECRET -keypass SECRET -storetype PKCS12
+```
+
+This will generate a Java Key Store with an entry aliased `JWK` with an expiry of 10 years and a password of `SECRET`.
 
 Web Configuration
 -----------------

src/main/java/ca/corefacility/bioinformatics/irida/config/repository/IridaApiRepositoriesConfig.java

@@ -1,7 +1,6 @@
 package ca.corefacility.bioinformatics.irida.config.repository;
 
 import javax.persistence.EntityManagerFactory;
-import javax.sql.DataSource;
 
 import org.hibernate.envers.AuditReader;
 import org.hibernate.envers.AuditReaderFactory;
@@ -13,8 +12,6 @@
 import org.springframework.data.envers.repository.support.EnversRevisionRepositoryFactoryBean;
 import org.springframework.data.jpa.repository.config.EnableJpaAuditing;
 import org.springframework.data.jpa.repository.config.EnableJpaRepositories;
-import org.springframework.security.oauth2.provider.token.TokenStore;
-import org.springframework.security.oauth2.provider.token.store.JdbcTokenStore;
 import org.springframework.transaction.annotation.EnableTransactionManagement;
 
 import ca.corefacility.bioinformatics.irida.config.data.IridaApiJdbcDataSourceConfig;
@@ -23,14 +20,15 @@
 
 /**
  * Configuration for repository/data storage classes.
- * 
- * 
  */
 @Configuration
 @EnableTransactionManagement(order = IridaApiRepositoriesConfig.TRANSACTION_MANAGEMENT_ORDER)
-@EnableJpaRepositories(basePackages = "ca.corefacility.bioinformatics.irida.repositories", repositoryFactoryBeanClass = EnversRevisionRepositoryFactoryBean.class)
+@EnableJpaRepositories(basePackages = "ca.corefacility.bioinformatics.irida.repositories",
+		repositoryFactoryBeanClass = EnversRevisionRepositoryFactoryBean.class)
 @ComponentScan("ca.corefacility.bioinformatics.irida.repositories.remote")
-@Import({ IridaApiPropertyPlaceholderConfig.class, IridaApiJdbcDataSourceConfig.class,
+@Import({
+		IridaApiPropertyPlaceholderConfig.class,
+		IridaApiJdbcDataSourceConfig.class,
 		IridaApiFilesystemRepositoryConfig.class })
 @EnableJpaAuditing
 public class IridaApiRepositoriesConfig {
@@ -49,10 +47,4 @@ public RevisionListener revisionListener() {
 	public AuditReader auditReader(EntityManagerFactory entityManagerFactory) {
 		return AuditReaderFactory.get(entityManagerFactory.createEntityManager());
 	}
-
-	@Bean(name="iridaTokenStore")
-	public TokenStore tokenStore(DataSource dataSource) {
-		TokenStore store = new JdbcTokenStore(dataSource);
-		return store;
-	}
 }