Spring Security 5 OAuth2

.gitignore

@@ -6,6 +6,7 @@ gradle-app.setting
 .gradletasknamecache
 !**/src/main/**/build/
 !**/src/test/**/build/
+*.pem
 
 ### STS ###
 .apt_generated

build.gradle.kts

@@ -121,6 +121,8 @@ dependencies {
     }
     implementation("org.springframework.boot:spring-boot-starter-validation")
     implementation("org.springframework.boot:spring-boot-starter-security")
+    implementation("org.springframework.security:spring-security-oauth2-authorization-server:0.3.0")
+    implementation("org.springframework.security:spring-security-oauth2-resource-server:5.7.2")
     implementation("org.apache.oltu.oauth2:org.apache.oltu.oauth2.client:1.0.0") {
         exclude(group = "org.slf4j")
     }
@@ -146,9 +148,6 @@ dependencies {
     implementation("org.springframework.boot:spring-boot-starter-web")
     implementation("org.springframework.boot:spring-boot-starter-web-services")
     implementation("org.springframework.boot:spring-boot-starter-hateoas")
-    implementation("org.springframework.security.oauth:spring-security-oauth2:2.3.6.RELEASE") {
-        exclude(group = "org.codehaus.jackson", module = "jackson-mapper-asl")
-    }
     implementation("commons-io:commons-io:2.11.0")
     implementation("commons-fileupload:commons-fileupload:1.4")
     implementation("org.apache.poi:poi-ooxml:5.2.2") {
@@ -266,6 +265,7 @@ tasks.war {
     exclude("entries.js")
     exclude(".eslintrc.js")
     exclude("postcss.config.js")
+    rootSpec.exclude("**/jwk-*.pem")
 }
 
 node {
@@ -423,6 +423,32 @@ tasks.named<BootRun>("bootRun") {
     }
 }
 
+task<Exec>("generateRSAKeyPair") {
+    workingDir(file("${projectDir}/src/main/resources"))
+    commandLine(listOf("openssl", "genpkey", "-algorithm", "RSA", "-out", "jwk-keypair.pem"))
+    outputs.file(file("${projectDir}/src/main/resources/jwk-keypair.pem"))
+}
+
+task<Exec>("generateRSAPrivateKey") {
+    dependsOn(":generateRSAKeyPair")
+    workingDir(file("${projectDir}/src/main/resources"))
+    commandLine(listOf("openssl", "pkcs8", "-inform", "PEM", "-outform", "PEM", "-nocrypt", "-in", "jwk-keypair.pem", "-out", "jwk-private.pem"))
+    outputs.file(file("${projectDir}/src/main/resources/jwk-private.pem"))
+}
+
+task<Exec>("generateRSAPublicKey") {
+    dependsOn(":generateRSAKeyPair")
+    workingDir(file("${projectDir}/src/main/resources"))
+    commandLine(listOf("openssl", "rsa", "-in", "jwk-keypair.pem", "-pubout", "-out", "jwk-public.pem"))
+    outputs.file(file("${projectDir}/src/main/resources/jwk-public.pem"))
+}
+
+task<DefaultTask>("generateJWK") {
+    dependsOn("generateRSAKeyPair")
+    dependsOn("generateRSAPrivateKey")
+    dependsOn("generateRSAPublicKey")
+}
+
 openApi {
     outputDir.set(file("${projectDir}/doc/swagger-ui"))
     outputFileName.set("open-api.json")
@@ -434,6 +460,7 @@ tasks.processResources {
         expand(project.properties)
     }
     dependsOn(":buildWebapp")
+    dependsOn(":generateJWK")
 }
 
 tasks.javadoc {

doc/administrator/web/config/irida.conf

@@ -18,6 +18,10 @@ file.processing.max.size=8
 file.processing.queue.capacity=512
 file.processing.process=true
 
+##### OAuth2 JWT security settings.
+oauth2.jwk.rsakey.id=CHANGEME
+oauth2.jwk.rsakey.private=/etc/irida/jwk-private.pem
+oauth2.jwk.rsakey.public=/etc/irida/jwk-public.pem
 
 ##### The database-specific settings. Several examples of how to specify a
 ##### Hibernate driver are listed below (but commented out).

doc/administrator/web/index.md

@@ -98,6 +98,21 @@ The main configuration parameters you will need to change are:
   * `ncbi.upload.namespace` - Prefix for file upload identifiers to NCBI. The namespace is used to guarantee upload IDs are unique.  This configuration option is used as a placeholder and may still be set by the user.
 5. **Security configuration**
  * `security.password.expiry` - The number of days a password is valid for in IRIDA.  After a password expires the user will be required to create a new one.  Passwords cannot be reused.
+6. **OAuth2 JWK security configuration** - IRIDA uses JWT (Json Web Tokens) for OAuth2 and as such requires a JWK (Json Web Key) in RSA format to encrypt and decrypt these tokens.
+ * `oauth2.jwk.rsakey.id=CHANGEME` - The id for the RSA private and public keys (used to select the correct keys for encryption and decryption)
+ * `oauth2.jwk.rsakey.private=/etc/irida/jwk-private.pem` - The RSA private key 
+ * `oauth2.jwk.rsakey.public=classpath:/jwk-public.pem` - The RSA public key
+
+### OAuth2 JWK RSA Key generation
+The RSA keys used to encrypt and decrypt the JWT's can be generated with the following commands:
+```bash
+# First generate the RSA Keypair
+openssl genpkey -algorithm RSA -out /etc/irida/jwk-keypair.pem
+# Second extract the RSA private key from the RSA Keypair
+openssl pkcs8 -inform PEM -outform PEM -nocrypt -in /etc/irida/jwk-keypair.pem -out /etc/irida/jwk-private.pem
+# Third extract the RSA public key from the RSA Keypair
+openssl rsa -in /etc/irida/jwk-keypair.pem -pubout -out /etc/irida/jwk-public.pem
+```
 
 Web Configuration
 -----------------

src/main/java/ca/corefacility/bioinformatics/irida/config/repository/IridaApiRepositoriesConfig.java

@@ -1,7 +1,6 @@
 package ca.corefacility.bioinformatics.irida.config.repository;
 
 import javax.persistence.EntityManagerFactory;
-import javax.sql.DataSource;
 
 import org.hibernate.envers.AuditReader;
 import org.hibernate.envers.AuditReaderFactory;
@@ -13,8 +12,6 @@
 import org.springframework.data.envers.repository.support.EnversRevisionRepositoryFactoryBean;
 import org.springframework.data.jpa.repository.config.EnableJpaAuditing;
 import org.springframework.data.jpa.repository.config.EnableJpaRepositories;
-import org.springframework.security.oauth2.provider.token.TokenStore;
-import org.springframework.security.oauth2.provider.token.store.JdbcTokenStore;
 import org.springframework.transaction.annotation.EnableTransactionManagement;
 
 import ca.corefacility.bioinformatics.irida.config.data.IridaApiJdbcDataSourceConfig;
@@ -23,14 +20,15 @@
 
 /**
  * Configuration for repository/data storage classes.
- * 
- * 
  */
 @Configuration
 @EnableTransactionManagement(order = IridaApiRepositoriesConfig.TRANSACTION_MANAGEMENT_ORDER)
-@EnableJpaRepositories(basePackages = "ca.corefacility.bioinformatics.irida.repositories", repositoryFactoryBeanClass = EnversRevisionRepositoryFactoryBean.class)
+@EnableJpaRepositories(basePackages = "ca.corefacility.bioinformatics.irida.repositories",
+		repositoryFactoryBeanClass = EnversRevisionRepositoryFactoryBean.class)
 @ComponentScan("ca.corefacility.bioinformatics.irida.repositories.remote")
-@Import({ IridaApiPropertyPlaceholderConfig.class, IridaApiJdbcDataSourceConfig.class,
+@Import({
+		IridaApiPropertyPlaceholderConfig.class,
+		IridaApiJdbcDataSourceConfig.class,
 		IridaApiFilesystemRepositoryConfig.class })
 @EnableJpaAuditing
 public class IridaApiRepositoriesConfig {
@@ -49,10 +47,4 @@ public RevisionListener revisionListener() {
 	public AuditReader auditReader(EntityManagerFactory entityManagerFactory) {
 		return AuditReaderFactory.get(entityManagerFactory.createEntityManager());
 	}
-
-	@Bean(name="iridaTokenStore")
-	public TokenStore tokenStore(DataSource dataSource) {
-		TokenStore store = new JdbcTokenStore(dataSource);
-		return store;
-	}
 }