From 4c2d9f6275ba36f81722f44006624adf1318cc5d Mon Sep 17 00:00:00 2001 From: Eric Enns <492127+ericenns@users.noreply.github.com> Date: Wed, 13 Nov 2024 11:29:05 -0600 Subject: [PATCH 1/2] chore(deps): Update spring-security-oauth2-authorization-server to 0.4.5 and spring-security to 5.8.15 --- build.gradle.kts | 4 ++-- .../config/security/IridaOauthSecurityConfig.java | 12 ++++++------ .../oauth2/IridaOAuth2AuthorizationService.java | 2 +- .../oauth2/IridaRegisteredClientsRepository.java | 4 ++-- ...ResourceOwnerPasswordAuthenticationProvider.java | 9 +++++---- .../database/changesets/unreleased/all-changes.xml | 3 ++- .../update-oauth2-authorization-table.xml | 13 +++++++++++++ .../bioinformatics/irida/sql/oauth-token.sql | 4 ++-- 8 files changed, 33 insertions(+), 18 deletions(-) create mode 100644 src/main/resources/ca/corefacility/bioinformatics/irida/database/changesets/unreleased/update-oauth2-authorization-table.xml diff --git a/build.gradle.kts b/build.gradle.kts index a402a76510e..24983072030 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -122,10 +122,10 @@ dependencies { implementation("org.springframework.boot:spring-boot-starter-validation") implementation("org.springframework.boot:spring-boot-starter-security") implementation("org.springframework.boot:spring-boot-starter-data-ldap") - implementation("org.springframework.security:spring-security-oauth2-authorization-server:0.3.1") + implementation("org.springframework.security:spring-security-oauth2-authorization-server:0.4.5") implementation("org.springframework.ldap:spring-ldap-core") implementation("org.springframework.security:spring-security-ldap") - implementation("org.springframework.security:spring-security-oauth2-resource-server:5.7.3") + implementation("org.springframework.security:spring-security-oauth2-resource-server:5.8.15") implementation("com.nimbusds:oauth2-oidc-sdk:11.20.1") implementation("org.springframework.boot:spring-boot-starter-data-jpa") implementation("org.springframework.data:spring-data-envers") { diff --git a/src/main/java/ca/corefacility/bioinformatics/irida/config/security/IridaOauthSecurityConfig.java b/src/main/java/ca/corefacility/bioinformatics/irida/config/security/IridaOauthSecurityConfig.java index 8ee7134e3bc..85908a9fdff 100644 --- a/src/main/java/ca/corefacility/bioinformatics/irida/config/security/IridaOauthSecurityConfig.java +++ b/src/main/java/ca/corefacility/bioinformatics/irida/config/security/IridaOauthSecurityConfig.java @@ -27,8 +27,8 @@ import org.springframework.security.authentication.AbstractAuthenticationToken; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration; -import org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization.OAuth2AuthorizationServerConfigurer; +import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration; +import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer; import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.crypto.password.PasswordEncoder; @@ -38,7 +38,7 @@ import org.springframework.security.oauth2.server.authorization.*; import org.springframework.security.oauth2.server.authorization.authentication.ClientSecretAuthenticationProvider; import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository; -import org.springframework.security.oauth2.server.authorization.config.ProviderSettings; +import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings; import org.springframework.security.oauth2.server.authorization.jackson2.OAuth2AuthorizationServerJackson2Module; import org.springframework.security.oauth2.server.authorization.token.*; import org.springframework.security.oauth2.server.authorization.web.authentication.DelegatingAuthenticationConverter; @@ -159,7 +159,7 @@ protected static class AuthorizationServerConfig { @Bean @Order(Ordered.HIGHEST_PRECEDENCE) // apply this SecurityFilterChain first public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception { - OAuth2AuthorizationServerConfigurer authorizationServerConfigurer = new OAuth2AuthorizationServerConfigurer<>(); + OAuth2AuthorizationServerConfigurer authorizationServerConfigurer = new OAuth2AuthorizationServerConfigurer(); RequestMatcher endpointsMatcher = authorizationServerConfigurer.getEndpointsMatcher(); authorizationServerConfigurer.clientAuthentication(clientAuthentication -> clientAuthentication.authenticationProvider(clientSecretAuthenticationProvider)); @@ -279,8 +279,8 @@ public OAuth2TokenGenerator oAuth2TokenGenerator(JwtEncoder jwtEnco } @Bean - public ProviderSettings providerSettings() { - return ProviderSettings.builder() + public AuthorizationServerSettings authorizationServerSettings() { + return AuthorizationServerSettings.builder() .issuer(serverBase) .authorizationEndpoint("/api/oauth/authorize") .tokenEndpoint("/api/oauth/token") diff --git a/src/main/java/ca/corefacility/bioinformatics/irida/oauth2/IridaOAuth2AuthorizationService.java b/src/main/java/ca/corefacility/bioinformatics/irida/oauth2/IridaOAuth2AuthorizationService.java index 74331221c51..38723b2eebc 100644 --- a/src/main/java/ca/corefacility/bioinformatics/irida/oauth2/IridaOAuth2AuthorizationService.java +++ b/src/main/java/ca/corefacility/bioinformatics/irida/oauth2/IridaOAuth2AuthorizationService.java @@ -9,7 +9,7 @@ import org.springframework.jdbc.core.JdbcOperations; import org.springframework.jdbc.core.PreparedStatementSetter; import org.springframework.security.oauth2.core.OAuth2AccessToken; -import org.springframework.security.oauth2.core.OAuth2TokenType; +import org.springframework.security.oauth2.server.authorization.OAuth2TokenType; import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService; import org.springframework.security.oauth2.server.authorization.OAuth2Authorization; import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; diff --git a/src/main/java/ca/corefacility/bioinformatics/irida/oauth2/IridaRegisteredClientsRepository.java b/src/main/java/ca/corefacility/bioinformatics/irida/oauth2/IridaRegisteredClientsRepository.java index ca5d4bdbda5..7125b7676ee 100644 --- a/src/main/java/ca/corefacility/bioinformatics/irida/oauth2/IridaRegisteredClientsRepository.java +++ b/src/main/java/ca/corefacility/bioinformatics/irida/oauth2/IridaRegisteredClientsRepository.java @@ -7,8 +7,8 @@ import org.springframework.security.oauth2.core.ClientAuthenticationMethod; import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository; -import org.springframework.security.oauth2.server.authorization.config.ClientSettings; -import org.springframework.security.oauth2.server.authorization.config.TokenSettings; +import org.springframework.security.oauth2.server.authorization.settings.ClientSettings; +import org.springframework.security.oauth2.server.authorization.settings.TokenSettings; import org.springframework.stereotype.Component; import ca.corefacility.bioinformatics.irida.model.IridaClientDetails; diff --git a/src/main/java/ca/corefacility/bioinformatics/irida/oauth2/OAuth2ResourceOwnerPasswordAuthenticationProvider.java b/src/main/java/ca/corefacility/bioinformatics/irida/oauth2/OAuth2ResourceOwnerPasswordAuthenticationProvider.java index cbfeae1ab9f..3a0369ac80f 100644 --- a/src/main/java/ca/corefacility/bioinformatics/irida/oauth2/OAuth2ResourceOwnerPasswordAuthenticationProvider.java +++ b/src/main/java/ca/corefacility/bioinformatics/irida/oauth2/OAuth2ResourceOwnerPasswordAuthenticationProvider.java @@ -14,12 +14,13 @@ import org.springframework.security.core.AuthenticationException; import org.springframework.security.oauth2.core.*; import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames; +import org.springframework.security.oauth2.server.authorization.OAuth2TokenType; import org.springframework.security.oauth2.server.authorization.OAuth2Authorization; import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken; import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; -import org.springframework.security.oauth2.server.authorization.context.ProviderContextHolder; +import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder; import org.springframework.security.oauth2.server.authorization.token.DefaultOAuth2TokenContext; import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenContext; import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator; @@ -44,7 +45,7 @@ public class OAuth2ResourceOwnerPasswordAuthenticationProvider implements Authen /** * Constructs an {@code OAuth2ResourceOwnerPasswordAuthenticationProvider} using the provided parameters. - * + * * @param authenticationManager * @param authorizationService * @param tokenGenerator @@ -93,7 +94,7 @@ public Authentication authenticate(Authentication authentication) throws Authent DefaultOAuth2TokenContext.Builder tokenContextBuilder = DefaultOAuth2TokenContext.builder() .registeredClient(registeredClient) .principal(usernamePasswordAuthentication) - .providerContext(ProviderContextHolder.getProviderContext()) + .authorizationServerContext(AuthorizationServerContextHolder.getContext()) .authorizedScopes(authorizedScopes) .authorizationGrantType(AuthorizationGrantType.PASSWORD) .authorizationGrant(resouceOwnerPasswordAuthentication); @@ -133,7 +134,7 @@ public Authentication authenticate(Authentication authentication) throws Authent OAuth2Authorization.Builder authorizationBuilder = OAuth2Authorization.withRegisteredClient(registeredClient) .principalName(usernamePasswordAuthentication.getName()) .authorizationGrantType(AuthorizationGrantType.PASSWORD) - .attribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME, authorizedScopes) + .authorizedScopes(authorizedScopes) .attribute(Principal.class.getName(), usernamePasswordAuthentication); // @formatter:on if (generatedAccessToken instanceof ClaimAccessor) { diff --git a/src/main/resources/ca/corefacility/bioinformatics/irida/database/changesets/unreleased/all-changes.xml b/src/main/resources/ca/corefacility/bioinformatics/irida/database/changesets/unreleased/all-changes.xml index a4e4c207414..77bb663db65 100644 --- a/src/main/resources/ca/corefacility/bioinformatics/irida/database/changesets/unreleased/all-changes.xml +++ b/src/main/resources/ca/corefacility/bioinformatics/irida/database/changesets/unreleased/all-changes.xml @@ -3,4 +3,5 @@ - \ No newline at end of file + + diff --git a/src/main/resources/ca/corefacility/bioinformatics/irida/database/changesets/unreleased/update-oauth2-authorization-table.xml b/src/main/resources/ca/corefacility/bioinformatics/irida/database/changesets/unreleased/update-oauth2-authorization-table.xml new file mode 100644 index 00000000000..caa93f83c65 --- /dev/null +++ b/src/main/resources/ca/corefacility/bioinformatics/irida/database/changesets/unreleased/update-oauth2-authorization-table.xml @@ -0,0 +1,13 @@ + + + + + + + + + + diff --git a/src/main/resources/ca/corefacility/bioinformatics/irida/sql/oauth-token.sql b/src/main/resources/ca/corefacility/bioinformatics/irida/sql/oauth-token.sql index 2d168a727bb..ecaf6dbbb52 100644 --- a/src/main/resources/ca/corefacility/bioinformatics/irida/sql/oauth-token.sql +++ b/src/main/resources/ca/corefacility/bioinformatics/irida/sql/oauth-token.sql @@ -24,6 +24,6 @@ insert into client_details_grant_types (client_details_id,grant_value) values (3 insert into client_details_grant_types (client_details_id,grant_value) values (4,"password"); insert into client_details_grant_types (client_details_id,grant_value) values (5,"authorization_code"); -CREATE TABLE `oauth2_authorization` ( `id` varchar(100) NOT NULL, `registered_client_id` varchar(100) NOT NULL, `principal_name` varchar(200) NOT NULL, `authorization_grant_type` varchar(100) NOT NULL, `attributes` varchar(4000) DEFAULT NULL, `state` varchar(500) DEFAULT NULL, `authorization_code_value` blob DEFAULT NULL, `authorization_code_issued_at` timestamp NULL DEFAULT NULL, `authorization_code_expires_at` timestamp NULL DEFAULT NULL, `authorization_code_metadata` varchar(2000) DEFAULT NULL, `access_token_value` blob DEFAULT NULL, `access_token_issued_at` timestamp NULL DEFAULT NULL, `access_token_expires_at` timestamp NULL DEFAULT NULL, `access_token_metadata` varchar(2000) DEFAULT NULL, `access_token_type` varchar(100) DEFAULT NULL, `access_token_scopes` varchar(1000) DEFAULT NULL, `oidc_id_token_value` blob DEFAULT NULL, `oidc_id_token_issued_at` timestamp NULL DEFAULT NULL, `oidc_id_token_expires_at` timestamp NULL DEFAULT NULL, `oidc_id_token_metadata` varchar(2000) DEFAULT NULL, `refresh_token_value` blob DEFAULT NULL, `refresh_token_issued_at` timestamp NULL DEFAULT NULL, `refresh_token_expires_at` timestamp NULL DEFAULT NULL, `refresh_token_metadata` varchar(2000) DEFAULT NULL, PRIMARY KEY (`id`)); +CREATE TABLE `oauth2_authorization` ( `id` varchar(100) NOT NULL, `registered_client_id` varchar(100) NOT NULL, `principal_name` varchar(200) NOT NULL, `authorization_grant_type` varchar(100) NOT NULL, `authorized_scopes` varchar(255) DEFAULT NULL, `attributes` varchar(4000) DEFAULT NULL, `state` varchar(500) DEFAULT NULL, `authorization_code_value` blob DEFAULT NULL, `authorization_code_issued_at` timestamp NULL DEFAULT NULL, `authorization_code_expires_at` timestamp NULL DEFAULT NULL, `authorization_code_metadata` varchar(2000) DEFAULT NULL, `access_token_value` blob DEFAULT NULL, `access_token_issued_at` timestamp NULL DEFAULT NULL, `access_token_expires_at` timestamp NULL DEFAULT NULL, `access_token_metadata` varchar(2000) DEFAULT NULL, `access_token_type` varchar(100) DEFAULT NULL, `access_token_scopes` varchar(1000) DEFAULT NULL, `oidc_id_token_value` blob DEFAULT NULL, `oidc_id_token_issued_at` timestamp NULL DEFAULT NULL, `oidc_id_token_expires_at` timestamp NULL DEFAULT NULL, `oidc_id_token_metadata` varchar(2000) DEFAULT NULL, `oidc_id_token_claims` varchar(2000) DEFAULT NULL, `refresh_token_value` blob DEFAULT NULL, `refresh_token_issued_at` timestamp NULL DEFAULT NULL, `refresh_token_expires_at` timestamp NULL DEFAULT NULL, `refresh_token_metadata` varchar(2000) DEFAULT NULL, PRIMARY KEY (`id`)); -CREATE TABLE `oauth2_authorization_consent` ( `registered_client_id` varchar(100) NOT NULL, `principal_name` varchar(200) NOT NULL, `authorities` varchar(1000) NOT NULL, PRIMARY KEY (`registered_client_id`, `principal_name`)); \ No newline at end of file +CREATE TABLE `oauth2_authorization_consent` ( `registered_client_id` varchar(100) NOT NULL, `principal_name` varchar(200) NOT NULL, `authorities` varchar(1000) NOT NULL, PRIMARY KEY (`registered_client_id`, `principal_name`)); From d25f2bb0048f2ffc2f2702f55a87fb7d051ce653 Mon Sep 17 00:00:00 2001 From: Eric Enns <492127+ericenns@users.noreply.github.com> Date: Wed, 13 Nov 2024 13:29:01 -0600 Subject: [PATCH 2/2] chore: add in liquibase changeset --- .../corefacility/bioinformatics/irida/database/all-changes.xml | 1 + .../changesets/unreleased/update-oauth2-authorization-table.xml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/main/resources/ca/corefacility/bioinformatics/irida/database/all-changes.xml b/src/main/resources/ca/corefacility/bioinformatics/irida/database/all-changes.xml index 2f69882c883..0a6d1629ae2 100644 --- a/src/main/resources/ca/corefacility/bioinformatics/irida/database/all-changes.xml +++ b/src/main/resources/ca/corefacility/bioinformatics/irida/database/all-changes.xml @@ -75,4 +75,5 @@ + diff --git a/src/main/resources/ca/corefacility/bioinformatics/irida/database/changesets/unreleased/update-oauth2-authorization-table.xml b/src/main/resources/ca/corefacility/bioinformatics/irida/database/changesets/unreleased/update-oauth2-authorization-table.xml index caa93f83c65..5a1d9564828 100644 --- a/src/main/resources/ca/corefacility/bioinformatics/irida/database/changesets/unreleased/update-oauth2-authorization-table.xml +++ b/src/main/resources/ca/corefacility/bioinformatics/irida/database/changesets/unreleased/update-oauth2-authorization-table.xml @@ -7,7 +7,7 @@ - +