Merge branch 'master' into add-arm64-architecture

jksolbakken · web-flow · commit 60f201713871 · 2022-04-29T13:12:23.000+02:00
diff --git a/.github/workflows/manual_testing.yml b/.github/workflows/manual_testing.yml
@@ -0,0 +1,50 @@
+name: Manually triggered playground
+
+on:
+  workflow_dispatch:
+
+env:
+
+  IMAGE_NAME: ttl.sh/${{ github.repository }}
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout latest code
+        uses: actions/checkout@v3
+        with:
+          ref: add-arm64-architecture
+
+      - name: Set up JDK 11
+        uses: actions/setup-java@v3
+        with:
+          java-version: 11
+          distribution: 'zulu'
+
+      - name: Setup build cache
+        uses: actions/cache@v3
+        with:
+          path: ~/.gradle/caches
+          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle.kts') }}
+          restore-keys: |
+            ${{ runner.os }}-gradle-
+
+      - name: Setup Gradle wrapper cache
+        uses: actions/cache@v3
+        with:
+          path: ~/.gradle/wrapper
+          key: ${{ runner.os }}-gradle-wrapper-${{ hashFiles('gradle/wrapper/gradle-wrapper.properties') }}
+          restore-keys: |
+            ${{ runner.os }}-gradle-wrapper-
+
+      - name: Build JVM stuff
+        run: ./gradlew build
+
+      - name: Build Docker images for amd64 and arm64
+        # The GITHUB_REF tag comes in the format 'refs/tags/xxx'.
+        # So if we split on '/' and take the 3rd value, we can get the release name.
+        run: |
+          NEW_VERSION=1h
+          IMAGE=${IMAGE_NAME}:${NEW_VERSION}
+          echo "Building new version ${NEW_VERSION} of $IMAGE"
+          ./gradlew jib --image="${IMAGE}"
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
@@ -60,7 +60,7 @@ jobs:
           NEW_VERSION=$(echo "${GITHUB_REF}" | cut -d "/" -f3)
           IMAGE=${IMAGE_NAME}:${NEW_VERSION}
           echo "Releasing new version ${NEW_VERSION} of $IMAGE"
-          ./gradlew -Pversion=${NEW_VERSION} publish closeAndReleaseRepository -Dorg.gradle.internal.publish.checksums.insecure=true --info
+          ./gradlew -Pversion=${NEW_VERSION} publish publishToSonatype closeAndReleaseStagingRepository -Dorg.gradle.internal.publish.checksums.insecure=true --info
           ./gradlew jibDockerBuild --image="${IMAGE}"
           docker push "${IMAGE}"
 
diff --git a/README.md b/README.md
@@ -26,6 +26,8 @@ The motivation behind this library is to provide a setup such that application d
   * OAuth2 JWT Bearer Grant (On-Behalf-Of flow)
   * OAuth2 Token Exchange Grant
   * OAuth2 Refresh Token Grant
+  * OAuth2 Resource Owner Password Credentials (Password Grant)
+    * *usage should be avoided if possible as this grant is considered insecure and [removed in its entirety](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-13#section-3.4) from OAuth 2.1*
 * **Issued JWT tokens are verifiable** through standard mechanisms with OpenID Connect Discovery / OAuth2 Authorization Server Metadata
 * **Unit/Integration test support**
   * Start and stop server for each test
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -4,33 +4,32 @@ import com.github.benmanes.gradle.versions.updates.DependencyUpdatesTask
 val assertjVersion = "3.22.0"
 val kotlinLoggingVersion = "2.1.21"
 val logbackVersion = "1.2.11"
-val nimbusSdkVersion = "9.32"
+val nimbusSdkVersion = "9.35"
 val mockWebServerVersion = "4.9.3"
 val jacksonVersion = "2.13.2"
-val nettyVersion = "4.1.75.Final"
+val nettyVersion = "4.1.76.Final"
 val junitJupiterVersion = "5.8.2"
-val kotlinVersion = "1.6.20"
+val kotlinVersion = "1.6.21"
 val freemarkerVersion = "2.3.31"
-val kotestVersion = "5.2.2"
+val kotestVersion = "5.2.3"
 val bouncyCastleVersion = "1.70"
-val springBootVersion = "2.6.6"
-val reactorTestVersion = "3.4.16"
+val springBootVersion = "2.6.7"
+val reactorTestVersion = "3.4.17"
 val ktorVersion = "1.6.8"
 
 val mavenRepoBaseUrl = "https://oss.sonatype.org"
 val mainClassKt = "no.nav.security.mock.oauth2.StandaloneMockOAuth2ServerKt"
 
 plugins {
     application
-    kotlin("jvm") version "1.6.20"
+    kotlin("jvm") version "1.6.21"
     id("se.patrikerdes.use-latest-versions") version "0.2.18"
     id("com.github.ben-manes.versions") version "0.42.0"
-    id("org.jmailen.kotlinter") version "3.9.0"
+    id("org.jmailen.kotlinter") version "3.10.0"
     id("com.google.cloud.tools.jib") version "3.2.1"
     id("com.github.johnrengelman.shadow") version "7.1.2"
     id("net.researchgate.release") version "2.8.1"
-    id("io.codearte.nexus-staging") version "0.30.0"
-    id("de.marcphilipp.nexus-publish") version "0.4.0"
+    id("io.github.gradle-nexus.publish-plugin") version "1.1.0"
     `java-library`
     `maven-publish`
     signing
@@ -90,17 +89,19 @@ dependencies {
     testImplementation("io.ktor:ktor-server-test-host:$ktorVersion")
 }
 
-nexusStaging {
-    username = System.getenv("SONATYPE_USERNAME")
-    password = System.getenv("SONATYPE_PASSWORD")
-    packageGroup = "no.nav"
-    delayBetweenRetriesInMillis = 5000
-}
-
 nexusPublishing {
+    packageGroup.set("no.nav")
     clientTimeout.set(Duration.ofMinutes(2))
     repositories {
-        sonatype()
+        sonatype {
+            username.set(System.getenv("SONATYPE_USERNAME"))
+            password.set(System.getenv("SONATYPE_PASSWORD"))
+        }
+    }
+
+    transitionCheckOptions {
+        maxRetries.set(40)
+        delayBetween.set(Duration.ofMillis(5000))
     }
 }
 
@@ -257,14 +258,6 @@ tasks {
         dependsOn("shadowJar")
     }
 
-    "publish" {
-        dependsOn("initializeSonatypeStagingRepository")
-    }
-
-    "publishToSonatype" {
-        dependsOn("publish")
-    }
-
     withType<Sign>().configureEach {
         onlyIf {
             System.getenv("GPG_KEYS") != null
diff --git a/src/main/kotlin/no/nav/security/mock/oauth2/StandaloneMockOAuth2Server.kt b/src/main/kotlin/no/nav/security/mock/oauth2/StandaloneMockOAuth2Server.kt
@@ -21,7 +21,7 @@ object StandaloneConfig {
     fun hostname(): InetAddress = SERVER_HOSTNAME.fromEnv()
         ?.let { InetAddress.getByName(it) } ?: InetSocketAddress(0).address
 
-    fun port(): Int = (SERVER_PORT.fromEnv()?.toInt() ?: PORT.fromEnv()?.toInt())?: 8080
+    fun port(): Int = (SERVER_PORT.fromEnv()?.toInt() ?: PORT.fromEnv()?.toInt()) ?: 8080
 
     fun oauth2Config(): OAuth2Config = with(jsonFromEnv()) {
         if (this != null) {
diff --git a/src/main/kotlin/no/nav/security/mock/oauth2/grant/AuthorizationCodeGrantHandler.kt b/src/main/kotlin/no/nav/security/mock/oauth2/grant/AuthorizationCodeGrantHandler.kt
@@ -76,7 +76,7 @@ internal class AuthorizationCodeHandler(
         val loginTokenCallbackOrDefault = getLoginTokenCallbackOrDefault(code, oAuth2TokenCallback)
         val idToken: SignedJWT = tokenProvider.idToken(tokenRequest, issuerUrl, loginTokenCallbackOrDefault, nonce)
         val accessToken: SignedJWT = tokenProvider.accessToken(tokenRequest, issuerUrl, loginTokenCallbackOrDefault, nonce)
-        val refreshToken: RefreshToken = refreshTokenManager.refreshToken(loginTokenCallbackOrDefault)
+        val refreshToken: RefreshToken = refreshTokenManager.refreshToken(loginTokenCallbackOrDefault, nonce)
 
         return OAuth2TokenResponse(
             tokenType = "Bearer",
diff --git a/src/main/kotlin/no/nav/security/mock/oauth2/grant/PasswordGrantHandler.kt b/src/main/kotlin/no/nav/security/mock/oauth2/grant/PasswordGrantHandler.kt
@@ -0,0 +1,44 @@
+package no.nav.security.mock.oauth2.grant
+
+import com.nimbusds.jwt.SignedJWT
+import com.nimbusds.oauth2.sdk.ResourceOwnerPasswordCredentialsGrant
+import com.nimbusds.oauth2.sdk.TokenRequest
+import no.nav.security.mock.oauth2.extensions.expiresIn
+import no.nav.security.mock.oauth2.http.OAuth2HttpRequest
+import no.nav.security.mock.oauth2.http.OAuth2TokenResponse
+import no.nav.security.mock.oauth2.token.OAuth2TokenCallback
+import no.nav.security.mock.oauth2.token.OAuth2TokenProvider
+import okhttp3.HttpUrl
+
+internal class PasswordGrantHandler(
+    private val tokenProvider: OAuth2TokenProvider
+) : GrantHandler {
+
+    override fun tokenResponse(
+        request: OAuth2HttpRequest,
+        issuerUrl: HttpUrl,
+        oAuth2TokenCallback: OAuth2TokenCallback
+    ): OAuth2TokenResponse {
+        val tokenRequest = request.asNimbusTokenRequest()
+        val scope: String? = tokenRequest.scope?.toString()
+        val passwordGrantTokenCallback = PasswordGrantTokenCallback(oAuth2TokenCallback)
+        val accessToken: SignedJWT = tokenProvider.accessToken(tokenRequest, issuerUrl, passwordGrantTokenCallback)
+
+        return OAuth2TokenResponse(
+            tokenType = "Bearer",
+            accessToken = accessToken.serialize(),
+            expiresIn = accessToken.expiresIn(),
+            scope = scope
+        )
+    }
+
+    private class PasswordGrantTokenCallback(
+        private val tokenCallback: OAuth2TokenCallback
+    ) : OAuth2TokenCallback by tokenCallback {
+
+        override fun subject(tokenRequest: TokenRequest) =
+            tokenRequest.authorizationGrant
+                ?.let { it as? ResourceOwnerPasswordCredentialsGrant }
+                ?.username ?: tokenCallback.subject(tokenRequest)
+    }
+}
diff --git a/src/main/kotlin/no/nav/security/mock/oauth2/grant/RefreshTokenManager.kt b/src/main/kotlin/no/nav/security/mock/oauth2/grant/RefreshTokenManager.kt
@@ -1,7 +1,9 @@
 package no.nav.security.mock.oauth2.grant
 
-import java.util.UUID
+import com.nimbusds.jwt.JWTClaimsSet
+import com.nimbusds.jwt.PlainJWT
 import no.nav.security.mock.oauth2.token.OAuth2TokenCallback
+import java.util.UUID
 
 typealias RefreshToken = String
 
@@ -10,9 +12,21 @@ internal data class RefreshTokenManager(
 ) {
     operator fun get(refreshToken: RefreshToken) = cache[refreshToken]
 
-    fun refreshToken(tokenCallback: OAuth2TokenCallback): RefreshToken {
-        val refreshToken = UUID.randomUUID().toString()
+    fun refreshToken(tokenCallback: OAuth2TokenCallback, nonce: String?): RefreshToken {
+        val jti = UUID.randomUUID().toString()
+        // added for compatibility with keycloak js client which expects a jwt with nonce
+        val refreshToken = nonce?.let { plainJWT(jti, nonce) } ?: jti
         cache[refreshToken] = tokenCallback
         return refreshToken
     }
+
+    private fun plainJWT(jti: String, nonce: String?): String =
+        PlainJWT(
+            JWTClaimsSet.parse(
+                mapOf(
+                    "jti" to jti,
+                    "nonce" to nonce
+                )
+            )
+        ).serialize()
 }
diff --git a/src/main/kotlin/no/nav/security/mock/oauth2/http/OAuth2HttpRequestHandler.kt b/src/main/kotlin/no/nav/security/mock/oauth2/http/OAuth2HttpRequestHandler.kt
@@ -6,6 +6,7 @@ import com.nimbusds.oauth2.sdk.GrantType
 import com.nimbusds.oauth2.sdk.GrantType.AUTHORIZATION_CODE
 import com.nimbusds.oauth2.sdk.GrantType.CLIENT_CREDENTIALS
 import com.nimbusds.oauth2.sdk.GrantType.JWT_BEARER
+import com.nimbusds.oauth2.sdk.GrantType.PASSWORD
 import com.nimbusds.oauth2.sdk.GrantType.REFRESH_TOKEN
 import com.nimbusds.oauth2.sdk.OAuth2Error
 import com.nimbusds.oauth2.sdk.ParseException
@@ -27,6 +28,7 @@ import no.nav.security.mock.oauth2.grant.AuthorizationCodeHandler
 import no.nav.security.mock.oauth2.grant.ClientCredentialsGrantHandler
 import no.nav.security.mock.oauth2.grant.GrantHandler
 import no.nav.security.mock.oauth2.grant.JwtBearerGrantHandler
+import no.nav.security.mock.oauth2.grant.PasswordGrantHandler
 import no.nav.security.mock.oauth2.grant.RefreshTokenGrantHandler
 import no.nav.security.mock.oauth2.grant.RefreshTokenManager
 import no.nav.security.mock.oauth2.grant.TOKEN_EXCHANGE
@@ -56,7 +58,8 @@ class OAuth2HttpRequestHandler(private val config: OAuth2Config) {
         CLIENT_CREDENTIALS to ClientCredentialsGrantHandler(config.tokenProvider),
         JWT_BEARER to JwtBearerGrantHandler(config.tokenProvider),
         TOKEN_EXCHANGE to TokenExchangeGrantHandler(config.tokenProvider),
-        REFRESH_TOKEN to RefreshTokenGrantHandler(config.tokenProvider, refreshTokenManager)
+        REFRESH_TOKEN to RefreshTokenGrantHandler(config.tokenProvider, refreshTokenManager),
+        PASSWORD to PasswordGrantHandler(config.tokenProvider)
     )
 
     private val exceptionHandler: ExceptionHandler = { request, error ->
diff --git a/src/test/kotlin/no/nav/security/mock/oauth2/StandaloneMockOAuth2ServerKtTest.kt b/src/test/kotlin/no/nav/security/mock/oauth2/StandaloneMockOAuth2ServerKtTest.kt
@@ -54,7 +54,6 @@ internal class StandaloneMockOAuth2ServerKtTest {
         }
     }
 
-
     @Test
     fun `load oauth2Config from file`() {
         withEnvironment(JSON_CONFIG_PATH to configFile) {
diff --git a/src/test/kotlin/no/nav/security/mock/oauth2/e2e/PasswordGrantIntegrationTest.kt b/src/test/kotlin/no/nav/security/mock/oauth2/e2e/PasswordGrantIntegrationTest.kt
@@ -0,0 +1,46 @@
+package no.nav.security.mock.oauth2.e2e
+
+import com.nimbusds.oauth2.sdk.GrantType
+import io.kotest.matchers.collections.shouldContainExactly
+import io.kotest.matchers.nulls.shouldNotBeNull
+import io.kotest.matchers.should
+import io.kotest.matchers.shouldBe
+import io.kotest.matchers.string.shouldContain
+import no.nav.security.mock.oauth2.testutils.ParsedTokenResponse
+import no.nav.security.mock.oauth2.testutils.audience
+import no.nav.security.mock.oauth2.testutils.client
+import no.nav.security.mock.oauth2.testutils.shouldBeValidFor
+import no.nav.security.mock.oauth2.testutils.subject
+import no.nav.security.mock.oauth2.testutils.toTokenResponse
+import no.nav.security.mock.oauth2.testutils.tokenRequest
+import no.nav.security.mock.oauth2.testutils.verifyWith
+import no.nav.security.mock.oauth2.withMockOAuth2Server
+import org.junit.jupiter.api.Test
+
+class PasswordGrantIntegrationTest {
+    private val client = client()
+
+    @Test
+    fun `token request with password grant should return accesstoken with username as subject`() {
+        withMockOAuth2Server {
+            val issuerId = "default"
+            val response: ParsedTokenResponse = client.tokenRequest(
+                url = this.tokenEndpointUrl(issuerId),
+                basicAuth = Pair("client", "secret"),
+                parameters = mapOf(
+                    "grant_type" to GrantType.PASSWORD.value,
+                    "scope" to "scope1",
+                    "username" to "foo",
+                    "password" to "bar",
+                )
+            ).toTokenResponse()
+
+            response shouldBeValidFor GrantType.PASSWORD
+            response.scope shouldContain "scope1"
+            response.accessToken.shouldNotBeNull()
+            response.accessToken should verifyWith(issuerId, this)
+            response.accessToken.subject shouldBe "foo"
+            response.accessToken.audience shouldContainExactly listOf("scope1")
+        }
+    }
+}
diff --git a/src/test/kotlin/no/nav/security/mock/oauth2/grant/AuthorizationCodeHandlerTest.kt b/src/test/kotlin/no/nav/security/mock/oauth2/grant/AuthorizationCodeHandlerTest.kt
@@ -1,6 +1,7 @@
 package no.nav.security.mock.oauth2.grant
 
 import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper
+import com.nimbusds.jwt.PlainJWT
 import com.nimbusds.jwt.SignedJWT
 import com.nimbusds.oauth2.sdk.ResponseMode
 import com.nimbusds.openid.connect.sdk.AuthenticationRequest
@@ -99,6 +100,16 @@ internal class AuthorizationCodeHandlerTest {
         }
     }
 
+    @Test
+    fun `auth request with nonce should result in a token response with refresh token as a JWT containing the nonce`() {
+        val code: String = handler.retrieveAuthorizationCode(Login("foo"))
+
+        handler.tokenResponse(tokenRequest(code = code), "http://myissuer".toHttpUrl(), DefaultOAuth2TokenCallback()).asClue {
+            val claims = PlainJWT.parse(it.refreshToken).jwtClaimsSet.claims
+            claims["nonce"] shouldBe "5678"
+        }
+    }
+
     private fun AuthorizationCodeHandler.retrieveAuthorizationCode(login: Login): String =
         authorizationCodeResponse(
             authenticationRequest = "http://authorizationendpoint".toHttpUrl().authenticationRequest().asNimbusAuthRequest(),
diff --git a/src/test/kotlin/no/nav/security/mock/oauth2/grant/RefreshTokenManagerTest.kt b/src/test/kotlin/no/nav/security/mock/oauth2/grant/RefreshTokenManagerTest.kt
@@ -0,0 +1,35 @@
+package no.nav.security.mock.oauth2.grant
+
+import com.nimbusds.jwt.PlainJWT
+import io.kotest.assertions.asClue
+import io.kotest.matchers.shouldBe
+import io.kotest.matchers.shouldNotBe
+import no.nav.security.mock.oauth2.token.DefaultOAuth2TokenCallback
+import org.junit.jupiter.api.Test
+
+internal class RefreshTokenManagerTest {
+
+    @Test
+    fun `refresh token should be a jwt with nonce included if nonce is not null (for keycloak compatibility)`() {
+        val mgr = RefreshTokenManager()
+        val tokenCallback = DefaultOAuth2TokenCallback()
+
+        mgr.refreshToken(tokenCallback, "nonce123").asClue {
+            val claims = PlainJWT.parse(it).jwtClaimsSet.claims
+
+            claims["nonce"] shouldBe "nonce123"
+            claims["jti"] shouldNotBe null
+        }
+    }
+
+    @Test
+    fun `tokencallback should be available in cache for specific refresh token`() {
+        val mgr = RefreshTokenManager()
+        val tokenCallback = DefaultOAuth2TokenCallback()
+
+        val refreshToken = mgr.refreshToken(tokenCallback, null)
+        mgr[refreshToken] shouldBe tokenCallback
+        val refreshToken2 = mgr.refreshToken(tokenCallback, "nonce123")
+        mgr[refreshToken2] shouldBe tokenCallback
+    }
+}
diff --git a/src/test/kotlin/no/nav/security/mock/oauth2/testutils/Token.kt b/src/test/kotlin/no/nav/security/mock/oauth2/testutils/Token.kt

Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,6 @@ internal class StandaloneMockOAuth2ServerKtTest {`
`54`	`54`	`}`
`55`	`55`	`}`
`56`	`56`
`57`		`-`
`58`	`57`	`@Test`
`59`	`58`	fun `load oauth2Config from file`() {
`60`	`59`	`withEnvironment(JSON_CONFIG_PATH to configFile) {`