From 08d87c4e92d9e154fb78466f562151bda93a0872 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Magalh=C3=A3es?= Date: Fri, 4 Oct 2024 13:43:55 +0100 Subject: [PATCH] fix: revoke refresh token method now deletes secret (#1603) * fix lack of secret deletion * Changed value from mock to instance * deps --- DEPENDENCIES | 40 +++++++++---------- .../DataPlaneTokenRefreshServiceImpl.java | 5 +++ ...eTokenRefreshServiceImplComponentTest.java | 28 ++++++++++++- 3 files changed, 51 insertions(+), 22 deletions(-) diff --git a/DEPENDENCIES b/DEPENDENCIES index 7bf43b926..3e27637d7 100644 --- a/DEPENDENCIES +++ b/DEPENDENCIES @@ -652,42 +652,42 @@ maven/mavencentral/org.yaml/snakeyaml/2.3, Apache-2.0 AND (Apache-2.0 OR BSD-3-C maven/mavencentral/software.amazon.awssdk/annotations/2.26.27, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/annotations/2.28.12, , restricted, clearlydefined maven/mavencentral/software.amazon.awssdk/apache-client/2.26.27, Apache-2.0, approved, clearlydefined -maven/mavencentral/software.amazon.awssdk/apache-client/2.28.12, , restricted, clearlydefined +maven/mavencentral/software.amazon.awssdk/apache-client/2.28.12, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/arns/2.26.27, Apache-2.0, approved, clearlydefined -maven/mavencentral/software.amazon.awssdk/arns/2.28.12, , restricted, clearlydefined +maven/mavencentral/software.amazon.awssdk/arns/2.28.12, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/auth/2.26.27, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/auth/2.28.12, , restricted, clearlydefined maven/mavencentral/software.amazon.awssdk/aws-core/2.26.27, Apache-2.0, approved, clearlydefined -maven/mavencentral/software.amazon.awssdk/aws-core/2.28.12, , restricted, clearlydefined +maven/mavencentral/software.amazon.awssdk/aws-core/2.28.12, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/aws-query-protocol/2.26.27, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/aws-query-protocol/2.28.12, , restricted, clearlydefined maven/mavencentral/software.amazon.awssdk/aws-xml-protocol/2.26.27, Apache-2.0, approved, clearlydefined -maven/mavencentral/software.amazon.awssdk/aws-xml-protocol/2.28.12, , restricted, clearlydefined +maven/mavencentral/software.amazon.awssdk/aws-xml-protocol/2.28.12, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/checksums-spi/2.26.27, Apache-2.0, approved, clearlydefined -maven/mavencentral/software.amazon.awssdk/checksums-spi/2.28.12, , restricted, clearlydefined +maven/mavencentral/software.amazon.awssdk/checksums-spi/2.28.12, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/checksums/2.26.27, Apache-2.0, approved, clearlydefined -maven/mavencentral/software.amazon.awssdk/checksums/2.28.12, , restricted, clearlydefined +maven/mavencentral/software.amazon.awssdk/checksums/2.28.12, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/crt-core/2.26.27, Apache-2.0, approved, clearlydefined -maven/mavencentral/software.amazon.awssdk/crt-core/2.28.12, , restricted, clearlydefined +maven/mavencentral/software.amazon.awssdk/crt-core/2.28.12, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/endpoints-spi/2.26.27, Apache-2.0, approved, clearlydefined -maven/mavencentral/software.amazon.awssdk/endpoints-spi/2.28.12, , restricted, clearlydefined +maven/mavencentral/software.amazon.awssdk/endpoints-spi/2.28.12, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/http-auth-aws-eventstream/2.26.27, Apache-2.0, approved, clearlydefined -maven/mavencentral/software.amazon.awssdk/http-auth-aws-eventstream/2.28.12, , restricted, clearlydefined +maven/mavencentral/software.amazon.awssdk/http-auth-aws-eventstream/2.28.12, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/http-auth-aws/2.26.27, Apache-2.0, approved, clearlydefined -maven/mavencentral/software.amazon.awssdk/http-auth-aws/2.28.12, , restricted, clearlydefined +maven/mavencentral/software.amazon.awssdk/http-auth-aws/2.28.12, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/http-auth-spi/2.26.27, Apache-2.0, approved, clearlydefined -maven/mavencentral/software.amazon.awssdk/http-auth-spi/2.28.12, , restricted, clearlydefined +maven/mavencentral/software.amazon.awssdk/http-auth-spi/2.28.12, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/http-auth/2.26.27, Apache-2.0, approved, clearlydefined -maven/mavencentral/software.amazon.awssdk/http-auth/2.28.12, , restricted, clearlydefined +maven/mavencentral/software.amazon.awssdk/http-auth/2.28.12, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/http-client-spi/2.26.27, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/http-client-spi/2.28.12, , restricted, clearlydefined maven/mavencentral/software.amazon.awssdk/iam/2.26.27, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/identity-spi/2.26.27, Apache-2.0, approved, clearlydefined -maven/mavencentral/software.amazon.awssdk/identity-spi/2.28.12, , restricted, clearlydefined +maven/mavencentral/software.amazon.awssdk/identity-spi/2.28.12, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/json-utils/2.26.27, Apache-2.0, approved, clearlydefined -maven/mavencentral/software.amazon.awssdk/json-utils/2.28.12, , restricted, clearlydefined +maven/mavencentral/software.amazon.awssdk/json-utils/2.28.12, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/metrics-spi/2.26.27, Apache-2.0, approved, clearlydefined -maven/mavencentral/software.amazon.awssdk/metrics-spi/2.28.12, , restricted, clearlydefined +maven/mavencentral/software.amazon.awssdk/metrics-spi/2.28.12, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/netty-nio-client/2.26.27, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/netty-nio-client/2.28.12, , restricted, clearlydefined maven/mavencentral/software.amazon.awssdk/profiles/2.26.27, Apache-2.0, approved, clearlydefined @@ -697,17 +697,17 @@ maven/mavencentral/software.amazon.awssdk/protocol-core/2.28.12, , restricted, c maven/mavencentral/software.amazon.awssdk/regions/2.26.27, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/regions/2.28.12, , restricted, clearlydefined maven/mavencentral/software.amazon.awssdk/retries-spi/2.26.27, Apache-2.0, approved, clearlydefined -maven/mavencentral/software.amazon.awssdk/retries-spi/2.28.12, , restricted, clearlydefined +maven/mavencentral/software.amazon.awssdk/retries-spi/2.28.12, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/retries/2.26.27, Apache-2.0, approved, clearlydefined -maven/mavencentral/software.amazon.awssdk/retries/2.28.12, , restricted, clearlydefined -maven/mavencentral/software.amazon.awssdk/s3-transfer-manager/2.28.12, , restricted, clearlydefined +maven/mavencentral/software.amazon.awssdk/retries/2.28.12, Apache-2.0, approved, clearlydefined +maven/mavencentral/software.amazon.awssdk/s3-transfer-manager/2.28.12, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/s3/2.26.27, Apache-2.0, approved, clearlydefined -maven/mavencentral/software.amazon.awssdk/s3/2.28.12, , restricted, clearlydefined +maven/mavencentral/software.amazon.awssdk/s3/2.28.12, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/sdk-core/2.26.27, Apache-2.0, approved, #15695 maven/mavencentral/software.amazon.awssdk/sdk-core/2.28.12, , restricted, clearlydefined maven/mavencentral/software.amazon.awssdk/sts/2.26.27, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/third-party-jackson-core/2.26.27, Apache-2.0, approved, #15693 -maven/mavencentral/software.amazon.awssdk/third-party-jackson-core/2.28.12, , restricted, clearlydefined +maven/mavencentral/software.amazon.awssdk/third-party-jackson-core/2.28.12, Apache-2.0 AND BSD-2-Clause, restricted, clearlydefined maven/mavencentral/software.amazon.awssdk/utils/2.26.27, Apache-2.0, approved, clearlydefined maven/mavencentral/software.amazon.awssdk/utils/2.28.12, , restricted, clearlydefined maven/mavencentral/software.amazon.eventstream/eventstream/1.0.1, Apache-2.0, approved, clearlydefined diff --git a/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/main/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceImpl.java b/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/main/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceImpl.java index 7a5b6cffe..730a47df1 100644 --- a/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/main/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceImpl.java +++ b/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/main/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceImpl.java @@ -270,6 +270,11 @@ public Result revoke(String transferProcessId, String reason) { } private Result deleteTokenData(AccessTokenData tokenData) { + var deletionResult = vault.deleteSecret(tokenData.id()); + if (deletionResult.failed()) { + return deletionResult; + } + var result = accessTokenDataStore.deleteById(tokenData.id()); if (result.failed()) { return Result.failure(result.getFailureDetail()); diff --git a/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/test/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceImplComponentTest.java b/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/test/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceImplComponentTest.java index 05daa76d9..7844a6f74 100644 --- a/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/test/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceImplComponentTest.java +++ b/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/test/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceImplComponentTest.java @@ -19,6 +19,7 @@ package org.eclipse.tractusx.edc.dataplane.tokenrefresh.core; +import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; import com.nimbusds.jose.JOSEException; import com.nimbusds.jose.JWSAlgorithm; @@ -31,6 +32,7 @@ import com.nimbusds.jwt.SignedJWT; import org.eclipse.edc.boot.vault.InMemoryVault; import org.eclipse.edc.connector.dataplane.framework.store.InMemoryAccessTokenDataStore; +import org.eclipse.edc.connector.dataplane.spi.AccessTokenData; import org.eclipse.edc.iam.did.spi.resolution.DidPublicKeyResolver; import org.eclipse.edc.junit.annotations.ComponentTest; import org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames; @@ -39,6 +41,7 @@ import org.eclipse.edc.query.CriterionOperatorRegistryImpl; import org.eclipse.edc.security.token.jwt.CryptoConverter; import org.eclipse.edc.security.token.jwt.DefaultJwsSignerProvider; +import org.eclipse.edc.spi.iam.ClaimToken; import org.eclipse.edc.spi.iam.TokenParameters; import org.eclipse.edc.spi.result.Result; import org.eclipse.edc.spi.types.domain.DataAddress; @@ -77,6 +80,8 @@ class DataPlaneTokenRefreshServiceImplComponentTest { private final PrivateKeyResolver privateKeyResolver = mock(); private DataPlaneTokenRefreshServiceImpl tokenRefreshService; private InMemoryAccessTokenDataStore tokenDataStore; + private InMemoryVault vault; + private ObjectMapper objectMapper; private ECKey consumerKey; private ECKey providerKey; @@ -89,7 +94,9 @@ void setup() throws JOSEException { var privateKey = providerKey.toPrivateKey(); + objectMapper = new ObjectMapper(); tokenDataStore = new InMemoryAccessTokenDataStore(CriterionOperatorRegistryImpl.ofDefaults()); + vault = new InMemoryVault(mock()); tokenRefreshService = new DataPlaneTokenRefreshServiceImpl(Clock.systemUTC(), new TokenValidationServiceImpl(), didPkResolverMock, @@ -103,8 +110,8 @@ void setup() throws JOSEException { 1, 300L, () -> providerKey.getKeyID(), - new InMemoryVault(mock()), - new ObjectMapper()); + vault, + objectMapper); when(privateKeyResolver.resolvePrivateKey(privateKeyAlias)).thenReturn(Result.success(privateKey)); when(localPublicKeyService.resolveKey(eq(consumerKey.getKeyID()))).thenReturn(Result.success(consumerKey.toPublicKey())); @@ -303,6 +310,23 @@ void resolve_notFound() { .detail().isEqualTo("AccessTokenData with ID '%s' does not exist.".formatted(tokenId)); } + @Test + void revoke_successful() throws JsonProcessingException { + var tokenId = "token-id"; + var transferProcessId = "dummy-tp-id"; + var accessTokenData = new AccessTokenData(tokenId, ClaimToken.Builder.newInstance().claim("claim1", "value1").build(), + DataAddress.Builder.newInstance().type("type").build(), Map.of("process_id", transferProcessId)); + var refreshToken = new RefreshToken("dummy-token", 0L, "dummy-refresh-endpoint"); + + tokenDataStore.store(accessTokenData); + vault.storeSecret(tokenId, objectMapper.writeValueAsString(refreshToken)); + + assertThat(tokenRefreshService.revoke(transferProcessId, "good-reason")) + .isSucceeded(); + assertThat(tokenDataStore.getById(tokenId)).isNull(); + assertThat(vault.resolveSecret(tokenId)).isNull(); + } + private JWTClaimsSet.Builder getAuthTokenClaims(String tokenId, String accessToken) { return new JWTClaimsSet.Builder() .jwtID(tokenId)