Using JwtSigningKeyResolver component in CookieAuthenticationResultSaver instead of duplicate code

bdemers · bdemers · commit b9c0c15a11a1 · 2017-03-27T14:57:45.000-04:00
diff --git a/extensions/servlet/src/main/java/com/stormpath/sdk/servlet/filter/account/CookieAuthenticationResultSaver.java b/extensions/servlet/src/main/java/com/stormpath/sdk/servlet/filter/account/CookieAuthenticationResultSaver.java
@@ -39,6 +39,8 @@
 import io.jsonwebtoken.JwsHeader;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SignatureAlgorithm;
+import io.jsonwebtoken.SigningKeyResolver;
+import io.jsonwebtoken.SigningKeyResolverAdapter;
 import org.joda.time.DateTime;
 import org.joda.time.Seconds;
 import org.slf4j.Logger;
@@ -47,6 +49,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.UnsupportedEncodingException;
+import java.security.Key;
 import java.util.Date;
 
 /**
@@ -65,15 +68,19 @@ public class CookieAuthenticationResultSaver implements Saver<AuthenticationResu
     private final CookieConfig accessTokenCookieConfig;
     private final CookieConfig refreshTokenCookieConfig;
 
+    private final JwtSigningKeyResolver signingKeyResolver;
+
     public CookieAuthenticationResultSaver(CookieConfig accessTokenCookieConfig,
                                            CookieConfig refreshTokenCookieConfig,
-                                           Resolver<Boolean> secureCookieRequired) {
+                                           Resolver<Boolean> secureCookieRequired,
+                                           JwtSigningKeyResolver signingKeyResolver) {
         Assert.notNull(accessTokenCookieConfig, "accessTokenCookieConfig cannot be null.");
         Assert.notNull(refreshTokenCookieConfig, "refreshTokenCookieConfig cannot be null.");
         Assert.notNull(secureCookieRequired, "secureCookieRequired cannot be null.");
         this.accessTokenCookieConfig = accessTokenCookieConfig;
         this.refreshTokenCookieConfig = refreshTokenCookieConfig;
         this.secureCookieRequired = secureCookieRequired;
+        this.signingKeyResolver = signingKeyResolver;
     }
 
     @Override
@@ -93,10 +100,10 @@ public void set(HttpServletRequest request, HttpServletResponse response, Authen
             String accessToken = accessTokenResult.getTokenResponse().getAccessToken();
             String refreshToken = accessTokenResult.getTokenResponse().getRefreshToken();
 
-            getAccessTokenCookieSaver(request, getMaxAge(accessToken, clientSecret, accessTokenCookieConfig)).set(request, response, accessToken);
+            getAccessTokenCookieSaver(request, getMaxAge(accessToken, clientSecret, accessTokenCookieConfig, request, response)).set(request, response, accessToken);
             //Client Credentials auth workflow doesn't contains a refresh token
             if (Strings.hasText(refreshToken)) {
-                getRefreshTokenCookieSaver(request, getMaxAge(refreshToken, clientSecret, refreshTokenCookieConfig)).set(request, response, refreshToken);
+                getRefreshTokenCookieSaver(request, getMaxAge(refreshToken, clientSecret, refreshTokenCookieConfig, request, response)).set(request, response, refreshToken);
             }
         }
         if (value instanceof TransientAuthenticationResult) {
@@ -121,8 +128,8 @@ public void set(HttpServletRequest request, HttpServletResponse response, Authen
                 String accessToken = authenticationResult.getAccessTokenString();
                 String refreshToken = authenticationResult.getRefreshTokenString();
 
-                getAccessTokenCookieSaver(request, getMaxAge(accessToken, clientSecret, accessTokenCookieConfig)).set(request, response, accessToken);
-                getRefreshTokenCookieSaver(request, getMaxAge(refreshToken, clientSecret, refreshTokenCookieConfig)).set(request, response, refreshToken);
+                getAccessTokenCookieSaver(request, getMaxAge(accessToken, clientSecret, accessTokenCookieConfig, request, response)).set(request, response, accessToken);
+                getRefreshTokenCookieSaver(request, getMaxAge(refreshToken, clientSecret, refreshTokenCookieConfig, request, response)).set(request, response, refreshToken);
             } catch (UnsupportedEncodingException e) {
                 //Should not happen since UTF-8 should always be a supported encoding, but we logged just in case
                 log.error("Error get the client API Secret", e);
@@ -234,7 +241,7 @@ public String getDomain() {
 
             @Override
             public int getMaxAge() {
-                return 1;
+                return maxAge;
             }
 
             @Override
@@ -254,18 +261,28 @@ public boolean isHttpOnly() {
         });
     }
 
-    private int getMaxAge(String token, byte[] clientSecret, CookieConfig cookieConfig) {
+    private int getMaxAge(String token, byte[] clientSecret, CookieConfig cookieConfig, HttpServletRequest request, HttpServletResponse response) {
         // non-zero indicates override from cookie config
-//        if (cookieConfig.getMaxAge() != 0) {
+        if (cookieConfig.getMaxAge() != 0 || token.split("\\.").length != 3) {
             return cookieConfig.getMaxAge();
-//        }
-
-//        // otherwise, use the claims in the JWT to determine maxAge
-//        Jws<Claims> claimsJws = Jwts.parser().setSigningKey(clientSecret).parseClaimsJws(token);
-//        DateTime issueAt = new DateTime(claimsJws.getBody().getIssuedAt());
-//        DateTime expiration = new DateTime(claimsJws.getBody().getExpiration());
-//
-//
-//        return Seconds.secondsBetween(issueAt, expiration).getSeconds() - Seconds.secondsBetween(issueAt, DateTime.now()).getSeconds();
+        }
+
+        // otherwise, use the claims in the JWT to determine maxAge
+        Jws<Claims> claimsJws = Jwts.parser().setSigningKeyResolver(createKeyResolver(request, response)).parseClaimsJws(token);
+        DateTime issueAt = new DateTime(claimsJws.getBody().getIssuedAt());
+        DateTime expiration = new DateTime(claimsJws.getBody().getExpiration());
+
+
+        return Seconds.secondsBetween(issueAt, expiration).getSeconds() - Seconds.secondsBetween(issueAt, DateTime.now()).getSeconds();
+    }
+
+    private SigningKeyResolver createKeyResolver(final HttpServletRequest request, final HttpServletResponse response) {
+        return new SigningKeyResolverAdapter() {
+
+            @Override
+            public Key resolveSigningKey(JwsHeader header, Claims claims) {
+                return signingKeyResolver.getSigningKey(request, response, header, claims);
+            }
+        };
     }
 }
diff --git a/extensions/servlet/src/main/java/com/stormpath/sdk/servlet/filter/account/config/CookieAuthenticationResultSaverFactory.java b/extensions/servlet/src/main/java/com/stormpath/sdk/servlet/filter/account/config/CookieAuthenticationResultSaverFactory.java
@@ -21,6 +21,7 @@
 import com.stormpath.sdk.servlet.config.ConfigSingletonFactory;
 import com.stormpath.sdk.servlet.config.CookieConfig;
 import com.stormpath.sdk.servlet.filter.account.CookieAuthenticationResultSaver;
+import com.stormpath.sdk.servlet.filter.account.JwtSigningKeyResolver;
 import com.stormpath.sdk.servlet.http.Resolver;
 import com.stormpath.sdk.servlet.http.Saver;
 
@@ -39,10 +40,12 @@ protected Saver<AuthenticationResult> createInstance(ServletContext servletConte
         CookieConfig accessTokenCookieConfig = config.getAccessTokenCookieConfig();
         CookieConfig refreshTokenCookieConfig = config.getRefreshTokenCookieConfig();
         Resolver<Boolean> secureCookieRequired = config.getInstance(COOKIE_SECURE_RESOLVER);
+        JwtSigningKeyResolver signingKeyResolver = config.getInstance(JwtSigningKeyResolver.class.getName()); // TODO: does this work?
         return new CookieAuthenticationResultSaver(
                 accessTokenCookieConfig,
                 refreshTokenCookieConfig,
-                secureCookieRequired
+                secureCookieRequired,
+                signingKeyResolver
         );
     }
 }
diff --git a/extensions/servlet/src/test/groovy/com/stormpath/sdk/servlet/filter/account/CookieAuthenticationResultSaverHttpsWarningTest.groovy b/extensions/servlet/src/test/groovy/com/stormpath/sdk/servlet/filter/account/CookieAuthenticationResultSaverHttpsWarningTest.groovy
@@ -11,6 +11,7 @@ import org.testng.annotations.Test
 import javax.servlet.http.HttpServletRequest
 import javax.servlet.http.HttpServletResponse
 
+import static org.easymock.EasyMock.createMock
 import static org.easymock.EasyMock.expect
 import static org.easymock.EasyMock.isA
 import static org.easymock.EasyMock.isNull
@@ -41,7 +42,7 @@ class CookieAuthenticationResultSaverHttpsWarningTest extends PowerMockTestCase
         HttpServletRequest request = createMock(HttpServletRequest.class)
         CookieConfig accessTokenConfig = createMock(CookieConfig.class)
         CookieConfig refreshTokenConfig = createMock(CookieConfig.class)
-
+        JwtSigningKeyResolver signingKeyResolver = createMock(JwtSigningKeyResolver.class)
         def resolver = createMock(Resolver.class)
 
         expect(accessTokenConfig.isSecure()).andReturn(true)
@@ -50,13 +51,13 @@ class CookieAuthenticationResultSaverHttpsWarningTest extends PowerMockTestCase
         expect(log.warn(isA(String)))
 
         replay LoggerFactory.class
-        replay log, request, accessTokenConfig, refreshTokenConfig, resolver
+        replay log, request, accessTokenConfig, refreshTokenConfig, resolver, signingKeyResolver
 
-        def saver = new CookieAuthenticationResultSaver(accessTokenConfig, refreshTokenConfig, resolver)
+        def saver = new CookieAuthenticationResultSaver(accessTokenConfig, refreshTokenConfig, resolver, signingKeyResolver)
         assertFalse saver.isCookieSecure(request, accessTokenConfig)
 
         verify LoggerFactory.class
-        verify log, request, accessTokenConfig, refreshTokenConfig, resolver
+        verify log, request, accessTokenConfig, refreshTokenConfig, resolver, signingKeyResolver
         reset LoggerFactory.class
     }
 }
diff --git a/extensions/servlet/src/test/groovy/com/stormpath/sdk/servlet/filter/account/CookieAuthenticationResultSaverTest.groovy b/extensions/servlet/src/test/groovy/com/stormpath/sdk/servlet/filter/account/CookieAuthenticationResultSaverTest.groovy
@@ -43,6 +43,7 @@ class CookieAuthenticationResultSaverTest extends PowerMockTestCase {
         HttpServletRequest request = createMock(HttpServletRequest.class)
         CookieConfig accessTokenConfig = createMock(CookieConfig.class)
         CookieConfig refreshTokenConfig = createMock(CookieConfig.class)
+        JwtSigningKeyResolver signingKeyResolver = createMock(JwtSigningKeyResolver.class)
 
         //Let's make the IsRequestSecureResolver return true
         def resolver = new Resolver<Boolean>() {
@@ -55,13 +56,13 @@ class CookieAuthenticationResultSaverTest extends PowerMockTestCase {
         expect(accessTokenConfig.isSecure()).andReturn(true)
         expect(request.getScheme()).andReturn "http"
 
-        replay request, accessTokenConfig, refreshTokenConfig
+        replay request, accessTokenConfig, refreshTokenConfig, signingKeyResolver
 
-        def saver = new CookieAuthenticationResultSaver(accessTokenConfig, refreshTokenConfig, resolver)
+        def saver = new CookieAuthenticationResultSaver(accessTokenConfig, refreshTokenConfig, resolver, signingKeyResolver)
 
         assertFalse saver.isCookieSecure(request, accessTokenConfig)
 
-        verify request, refreshTokenConfig, refreshTokenConfig
+        verify request, refreshTokenConfig, refreshTokenConfig, signingKeyResolver
     }
 
     /**
@@ -73,6 +74,7 @@ class CookieAuthenticationResultSaverTest extends PowerMockTestCase {
         HttpServletRequest request = createMock(HttpServletRequest.class)
         CookieConfig accessTokenConfig = createMock(CookieConfig.class)
         CookieConfig refreshTokenConfig = createMock(CookieConfig.class)
+        JwtSigningKeyResolver signingKeyResolver = createMock(JwtSigningKeyResolver.class)
         def localhost = createMock(Resolver.class)
 
         def resolver = new SecureRequiredExceptForLocalhostResolver(localhost) {
@@ -85,12 +87,12 @@ class CookieAuthenticationResultSaverTest extends PowerMockTestCase {
         expect(accessTokenConfig.isSecure()).andReturn(true)
         expect(request.getScheme()).andReturn "https"
 
-        replay request, accessTokenConfig, refreshTokenConfig, localhost
+        replay request, accessTokenConfig, refreshTokenConfig, localhost, signingKeyResolver
 
-        def saver = new CookieAuthenticationResultSaver(accessTokenConfig, refreshTokenConfig, resolver)
+        def saver = new CookieAuthenticationResultSaver(accessTokenConfig, refreshTokenConfig, resolver, signingKeyResolver)
 
         assertFalse saver.isCookieSecure(request, accessTokenConfig)
 
-        verify request, refreshTokenConfig, refreshTokenConfig, localhost
+        verify request, refreshTokenConfig, refreshTokenConfig, localhost, signingKeyResolver
     }
 }
diff --git a/extensions/spring/stormpath-spring-webmvc/src/main/java/com/stormpath/spring/config/AbstractStormpathWebMvcConfiguration.java b/extensions/spring/stormpath-spring-webmvc/src/main/java/com/stormpath/spring/config/AbstractStormpathWebMvcConfiguration.java
@@ -169,6 +169,8 @@
 import com.stormpath.spring.mvc.TemplateLayoutInterceptor;
 import com.stormpath.spring.mvc.VerifyControllerConfig;
 import com.stormpath.spring.util.SpringPatternMatcher;
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.JwsHeader;
 import io.jsonwebtoken.SignatureAlgorithm;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -212,6 +214,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
+import java.security.Key;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashMap;
@@ -755,7 +758,8 @@ public Saver<AuthenticationResult> stormpathCookieAuthenticationResultSaver() {
             return new CookieAuthenticationResultSaver(
                 stormpathAccessTokenCookieConfig(),
                 stormpathRefreshTokenCookieConfig(),
-                stormpathSecureResolver()
+                stormpathSecureResolver(),
+                stormpathJwtSigningKeyResolver()
             );
         }
 
@@ -789,7 +793,21 @@ public Saver<AuthenticationResult> stormpathAuthenticationResultSaver() {
     }
 
     public JwtSigningKeyResolver stormpathJwtSigningKeyResolver() {
-        return new JwtTokenSigningKeyResolver();
+        if (oktaEnabled) {
+            return new JwtSigningKeyResolver() {
+                @Override
+                public Key getSigningKey(HttpServletRequest request, HttpServletResponse response, AuthenticationResult result, SignatureAlgorithm alg) {
+                    throw new UnsupportedOperationException("getSigningKey() is not supported");
+                }
+
+                @Override
+                public Key getSigningKey(HttpServletRequest request, HttpServletResponse response, JwsHeader jwsHeader, Claims claims) {
+                    return client.instantiate(OktaSigningKeyResolver.class).resolveSigningKey(jwsHeader, claims);
+                }
+            };
+        } else {
+            return new JwtTokenSigningKeyResolver();
+        }
     }
 
     public RequestEventListener stormpathRequestEventListener() {
