Refactored IAM signing and encryption service

indigo-iam · Dec 1, 2021 · 0326eff · 0326eff
1 parent dcc2122
commit 0326eff
Show file tree

Hide file tree

Showing 25 changed files with 1,038 additions and 56 deletions.
diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
@@ -26,11 +26,14 @@ jobs:
     - name: License check
       run: mvn -B license:check
 
-    - name: Build & test
-      run: mvn -U -B clean test
+    - name: Build, test, package
+      run: mvn -U -B clean package
 
-    - name: Build docker images
-      run: mvn -DskipTests=true -U -B package spring-boot:build-image
+    - name: Copy artifacts to docker dir
+      run: mvn -DskipTests=true -U -B spring-boot:build-image
+
+    - name: Build docker images (packeto)
+      run: mvn -DskipTests=true -U -B spring-boot:build-image
 
     - name: Docker login
       if: startsWith(github.ref, 'refs/tags/')

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/config/JWTCriptoConfig.java b/iam-login-service/src/main/java/it/infn/mw/iam/config/JWTCriptoConfig.java
@@ -16,18 +16,18 @@
 package it.infn.mw.iam.config;
 
 import org.mitre.jose.keystore.JWKSetKeyStore;
-import org.mitre.jwt.encryption.service.impl.DefaultJWTEncryptionAndDecryptionService;
-import org.mitre.jwt.signer.service.impl.DefaultJWTSigningAndValidationService;
+import org.mitre.jwt.encryption.service.JWTEncryptionAndDecryptionService;
+import org.mitre.jwt.signer.service.JWTSigningAndValidationService;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.io.ResourceLoader;
 
-import com.nimbusds.jose.JWEAlgorithm;
-
 import it.infn.mw.iam.config.error.IAMJWTKeystoreError;
+import it.infn.mw.iam.core.jwk.IamJWTEncryptionService;
+import it.infn.mw.iam.core.jwk.IamJWTSigningService;
 import it.infn.mw.iam.util.JWKKeystoreLoader;
 
 @Configuration
@@ -53,44 +53,36 @@ public JWKSetKeyStore defaultKeyStore(JWKKeystoreLoader loader) {
   }
 
   @Bean(name = "defaultsignerService")
-  public DefaultJWTSigningAndValidationService defaultSignerService(JWKSetKeyStore keystore) {
+  public JWTSigningAndValidationService defaultSignerService(JWKSetKeyStore keystore) {
     try {
-      DefaultJWTSigningAndValidationService signerService =
-          new DefaultJWTSigningAndValidationService(keystore);
+
+      IamJWTSigningService signerService =
+          new IamJWTSigningService(iamProperties.getJwk(), keystore);
 
       LOG.info("Default JWK key id: {}", iamProperties.getJwk().getDefaultKeyId());
       LOG.info("Default JWS algorithm: {}", iamProperties.getJwk().getDefaultJwsAlgorithm());
 
-      signerService.setDefaultSignerKeyId(iamProperties.getJwk().getDefaultKeyId());
-      signerService.setDefaultSigningAlgorithmName(iamProperties.getJwk().getDefaultJwsAlgorithm());
       return signerService;
     } catch (Exception e) {
       throw new IAMJWTKeystoreError("Error creating JWT signing and validation service", e);
     }
   }
 
   @Bean(name = "defaultEncryptionService")
-  public DefaultJWTEncryptionAndDecryptionService defaultEncryptionService(
+  public JWTEncryptionAndDecryptionService defaultEncryptionService(
       JWKSetKeyStore keystore) {
 
     try {
-      DefaultJWTEncryptionAndDecryptionService encryptionService =
-          new DefaultJWTEncryptionAndDecryptionService(keystore);
 
-      JWEAlgorithm algo = JWEAlgorithm.parse(iamProperties.getJwk().getDefaultJweAlgorithm()); 
-      encryptionService
-        .setDefaultAlgorithm(algo);
+      IamJWTEncryptionService encryptionService =
+          new IamJWTEncryptionService(iamProperties, keystore);
 
       LOG.info("Default JWE key encrypt key id: {}",
           iamProperties.getJwk().getDefaultJweEncryptKeyId());
       LOG.info("Default JWE key decrypt key id: {}",
           iamProperties.getJwk().getDefaultJweDecryptKeyId());
-      LOG.info("Default JWE algorithm: {}", algo.getName());
+      LOG.info("Default JWE algorithm: {}", iamProperties.getJwk().getDefaultJweAlgorithm());
 
-      encryptionService
-        .setDefaultDecryptionKeyId(iamProperties.getJwk().getDefaultJweDecryptKeyId());
-      encryptionService
-        .setDefaultEncryptionKeyId(iamProperties.getJwk().getDefaultJweEncryptKeyId());
       return encryptionService;
     } catch (Exception e) {
       throw new IAMJWTKeystoreError("Error creating JWT encryption/decription service", e);

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/config/MitreServicesConfig.java b/iam-login-service/src/main/java/it/infn/mw/iam/config/MitreServicesConfig.java
@@ -81,7 +81,7 @@
 import it.infn.mw.iam.authn.oidc.RestTemplateFactory;
 import it.infn.mw.iam.core.client.ClientUserDetailsService;
 import it.infn.mw.iam.core.client.IAMClientUserDetailsService;
-import it.infn.mw.iam.core.oauth.IamJWKSetCacheService;
+import it.infn.mw.iam.core.jwk.IamJWKSetCacheService;
 import it.infn.mw.iam.core.oauth.IamOAuth2RequestFactory;
 import it.infn.mw.iam.core.oauth.profile.JWTProfileResolver;
 import it.infn.mw.iam.core.oauth.scope.IamSystemScopeService;

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/error/JwkCryptoError.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/error/JwkCryptoError.java
@@ -0,0 +1,33 @@
+/**
+ * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package it.infn.mw.iam.core.error;
+
+public class JwkCryptoError extends RuntimeException {
+
+  /**
+   * 
+   */
+  private static final long serialVersionUID = 1L;
+
+  public JwkCryptoError(Throwable cause) {
+    super(cause);
+  }
+
+  public JwkCryptoError(String message, Throwable cause) {
+    super(message, cause);
+  }
+
+}
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/error/NoSuchKeyError.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/error/NoSuchKeyError.java
@@ -0,0 +1,35 @@
+/**
+ * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package it.infn.mw.iam.core.error;
+
+import java.util.function.Supplier;
+
+public class NoSuchKeyError extends RuntimeException {
+
+  /**
+   * 
+   */
+  private static final long serialVersionUID = 1L;
+
+  public NoSuchKeyError(String message) {
+    super(message);
+  }
+
+  public static Supplier<NoSuchKeyError> forKeyId(String keyId) {
+    return () -> new NoSuchKeyError("No such key: " + keyId);
+  }
+
+}
diff --git a/...iam/core/oauth/IamJWKSetCacheService.java → ...w/iam/core/jwk/IamJWKSetCacheService.java b/...iam/core/oauth/IamJWKSetCacheService.java → ...w/iam/core/jwk/IamJWKSetCacheService.java
@@ -13,16 +13,14 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package it.infn.mw.iam.core.oauth;
+package it.infn.mw.iam.core.jwk;
 
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
 
 import org.mitre.jose.keystore.JWKSetKeyStore;
 import org.mitre.jwt.encryption.service.JWTEncryptionAndDecryptionService;
-import org.mitre.jwt.encryption.service.impl.DefaultJWTEncryptionAndDecryptionService;
 import org.mitre.jwt.signer.service.JWTSigningAndValidationService;
-import org.mitre.jwt.signer.service.impl.DefaultJWTSigningAndValidationService;
 import org.mitre.jwt.signer.service.impl.JWKSetCacheService;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -106,7 +104,7 @@ public JWTEncryptionAndDecryptionService load(String key) throws Exception {
 
       JWKSetKeyStore keyStore = new JWKSetKeyStore(jwkSet);
 
-      return new DefaultJWTEncryptionAndDecryptionService(keyStore);
+      return new IamJWTEncryptionService(keyStore);
     }
   }
 
@@ -129,7 +127,7 @@ public JWTSigningAndValidationService load(String key) throws Exception {
 
       JWKSetKeyStore keyStore = new JWKSetKeyStore(jwkSet);
 
-      return new DefaultJWTSigningAndValidationService(keyStore);
+      return new IamJWTSigningService(keyStore);
     }
   }
 }