Compare commits

..

No commits in common. "975ebae553465398091b00377cf8790c80ea7547" and "e48fb283c3475bb5ee6c7ea3f5a941c345b74371" have entirely different histories.

9 changed files with 58 additions and 91 deletions

View File

@ -60,7 +60,6 @@ dependencies {
runtimeOnly("com.microsoft.sqlserver:mssql-jdbc:9.2.1.jre11")
runtimeOnly("io.jsonwebtoken:jjwt-impl:0.11.2")
runtimeOnly("io.jsonwebtoken:jjwt-jackson:0.11.2")
}
springBoot {

2
gradlew vendored
View File

@ -72,7 +72,7 @@ case "`uname`" in
Darwin* )
darwin=true
;;
MSYS* | MINGW* )
MINGW* )
msys=true
;;
NONSTOP* )

View File

@ -1,5 +1,3 @@
package dev.fyloz.colorrecipesexplorer
typealias SpringUser = org.springframework.security.core.userdetails.User
typealias SpringUserDetails = org.springframework.security.core.userdetails.UserDetails
typealias SpringUserDetailsService = org.springframework.security.core.userdetails.UserDetailsService
public typealias SpringUser = org.springframework.security.core.userdetails.User

View File

@ -1,19 +1,21 @@
package dev.fyloz.colorrecipesexplorer.config.security
import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper
import dev.fyloz.colorrecipesexplorer.SpringUser
import dev.fyloz.colorrecipesexplorer.config.properties.CreSecurityProperties
import dev.fyloz.colorrecipesexplorer.exception.NotFoundException
import dev.fyloz.colorrecipesexplorer.model.account.UserDetails
import dev.fyloz.colorrecipesexplorer.model.account.UserLoginRequest
import dev.fyloz.colorrecipesexplorer.utils.buildJwt
import dev.fyloz.colorrecipesexplorer.utils.parseJwt
import io.jsonwebtoken.ExpiredJwtException
import io.jsonwebtoken.Jwts
import org.springframework.security.authentication.AuthenticationManager
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
import org.springframework.security.core.Authentication
import org.springframework.security.core.context.SecurityContextHolder
import org.springframework.security.core.userdetails.UserDetails
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter
import org.springframework.util.Assert
import org.springframework.web.util.WebUtils
import javax.servlet.FilterChain
import javax.servlet.http.HttpServletRequest
@ -44,11 +46,10 @@ class JwtAuthenticationFilter(
request: HttpServletRequest,
response: HttpServletResponse,
chain: FilterChain,
auth: Authentication
authResult: Authentication
) {
val userDetails = (auth.principal as UserDetails)
val token =
userDetails.user.buildJwt(securityProperties.jwtSecret, duration = securityProperties.jwtDuration).token
val user = (authResult.principal as SpringUser)
val token = user.buildJwt(securityProperties)
var bearerCookie =
"$authorizationCookieName=Bearer$token; Max-Age=${securityProperties.jwtDuration / 1000}; HttpOnly; SameSite=strict"
@ -58,13 +59,11 @@ class JwtAuthenticationFilter(
bearerCookie
)
response.addHeader(authorizationCookieName, "Bearer $token")
updateUserLoginTime(userDetails.user.id)
}
}
class JwtAuthorizationFilter(
private val securityProperties: CreSecurityProperties,
private val securityConfigurationProperties: CreSecurityProperties,
authenticationManager: AuthenticationManager,
private val loadUserById: (Long) -> UserDetails
) : BasicAuthenticationFilter(authenticationManager) {
@ -100,10 +99,16 @@ class JwtAuthorizationFilter(
}
private fun getAuthentication(token: String): UsernamePasswordAuthenticationToken? {
val jwtSecret = securityConfigurationProperties.jwtSecret
Assert.notNull(jwtSecret, "No JWT secret has been defined.")
return try {
with(parseJwt(token.replace("Bearer", ""), securityProperties.jwtSecret)) {
getAuthenticationToken(this.subject)
}
val userId = Jwts.parser()
.setSigningKey(jwtSecret.toByteArray())
.parseClaimsJws(token.replace("Bearer", ""))
.body
.subject
if (userId != null) getAuthenticationToken(userId) else null
} catch (_: ExpiredJwtException) {
null
}

View File

@ -4,8 +4,6 @@ import dev.fyloz.colorrecipesexplorer.config.properties.CreSecurityProperties
import dev.fyloz.colorrecipesexplorer.emergencyMode
import dev.fyloz.colorrecipesexplorer.model.account.Permission
import dev.fyloz.colorrecipesexplorer.model.account.User
import dev.fyloz.colorrecipesexplorer.model.account.UserDetails
import dev.fyloz.colorrecipesexplorer.model.account.user
import dev.fyloz.colorrecipesexplorer.service.CreUserDetailsService
import dev.fyloz.colorrecipesexplorer.service.UserService
import org.slf4j.Logger
@ -24,6 +22,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
import org.springframework.security.config.http.SessionCreationPolicy
import org.springframework.security.core.AuthenticationException
import org.springframework.security.core.authority.SimpleGrantedAuthority
import org.springframework.security.core.userdetails.UserDetails
import org.springframework.security.core.userdetails.UsernameNotFoundException
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
import org.springframework.security.crypto.password.PasswordEncoder
@ -35,6 +34,7 @@ import org.springframework.web.cors.UrlBasedCorsConfigurationSource
import javax.annotation.PostConstruct
import javax.servlet.http.HttpServletRequest
import javax.servlet.http.HttpServletResponse
import org.springframework.security.core.userdetails.User as SpringUser
@Configuration
@Profile("!emergency")
@ -122,6 +122,8 @@ class EmergencySecurityConfig(
private val securityProperties: CreSecurityProperties,
private val environment: Environment
) : WebSecurityConfigurerAdapter() {
private val rootUserRole = Permission.ADMIN.name
init {
emergencyMode = true
}
@ -140,7 +142,7 @@ class EmergencySecurityConfig(
auth.inMemoryAuthentication()
.withUser(securityProperties.root!!.id.toString())
.password(passwordEncoder().encode(securityProperties.root!!.password))
.authorities(SimpleGrantedAuthority(Permission.ADMIN.name))
.authorities(SimpleGrantedAuthority(rootUserRole))
}
override fun configure(http: HttpSecurity) {
@ -170,11 +172,11 @@ class EmergencySecurityConfig(
private fun loadUserById(id: Long): UserDetails {
assertRootUserNotNull(securityProperties)
if (id == securityProperties.root!!.id) {
return UserDetails(user(
id = id,
password = securityProperties.root!!.password,
permissions = mutableSetOf(Permission.ADMIN)
))
return SpringUser(
id.toString(),
securityProperties.root!!.password,
listOf(SimpleGrantedAuthority(rootUserRole))
)
}
throw UsernameNotFoundException(id.toString())
}

View File

@ -1,6 +1,5 @@
package dev.fyloz.colorrecipesexplorer.model.account
import dev.fyloz.colorrecipesexplorer.SpringUserDetails
import dev.fyloz.colorrecipesexplorer.exception.AlreadyExistsException
import dev.fyloz.colorrecipesexplorer.exception.NotFoundException
import dev.fyloz.colorrecipesexplorer.model.EntityDto
@ -60,6 +59,9 @@ data class User(
.apply {
if (group != null) this.addAll(group!!.flatPermissions)
}
val authorities: Set<GrantedAuthority>
get() = flatPermissions.map { it.toAuthority() }.toMutableSet()
}
open class UserSaveDto(
@ -108,19 +110,6 @@ data class UserOutputDto(
data class UserLoginRequest(val id: Long, val password: String)
data class UserDetails(val user: User) : SpringUserDetails {
override fun getPassword() = user.password
override fun getUsername() = user.id.toString()
override fun getAuthorities() =
user.flatPermissions.map { it.toAuthority() }.toMutableSet()
override fun isAccountNonExpired() = true
override fun isAccountNonLocked() = true
override fun isCredentialsNonExpired() = true
override fun isEnabled() = true
}
// ==== DSL ====
fun user(
passwordEncoder: PasswordEncoder = BCryptPasswordEncoder(),

View File

@ -1,6 +1,5 @@
package dev.fyloz.colorrecipesexplorer.service
import dev.fyloz.colorrecipesexplorer.SpringUserDetailsService
import dev.fyloz.colorrecipesexplorer.config.security.blacklistedJwtTokens
import dev.fyloz.colorrecipesexplorer.config.security.defaultGroupCookieName
import dev.fyloz.colorrecipesexplorer.exception.NotFoundException
@ -10,6 +9,8 @@ import dev.fyloz.colorrecipesexplorer.repository.GroupRepository
import dev.fyloz.colorrecipesexplorer.repository.UserRepository
import org.springframework.context.annotation.Lazy
import org.springframework.context.annotation.Profile
import org.springframework.security.core.userdetails.UserDetails
import org.springframework.security.core.userdetails.UserDetailsService
import org.springframework.security.core.userdetails.UsernameNotFoundException
import org.springframework.security.crypto.password.PasswordEncoder
import org.springframework.stereotype.Service
@ -18,6 +19,7 @@ import java.time.LocalDateTime
import javax.servlet.http.HttpServletRequest
import javax.servlet.http.HttpServletResponse
import javax.transaction.Transactional
import org.springframework.security.core.userdetails.User as SpringUser
interface UserService :
ExternalModelService<User, UserSaveDto, UserUpdateDto, UserOutputDto, UserRepository> {
@ -67,7 +69,7 @@ interface GroupService :
fun setResponseDefaultGroup(groupId: Long, response: HttpServletResponse)
}
interface CreUserDetailsService : SpringUserDetailsService {
interface CreUserDetailsService : UserDetailsService {
/** Loads an [User] for the given [id]. */
fun loadUserById(id: Long, ignoreDefaultGroupUsers: Boolean = false): UserDetails
}
@ -302,7 +304,8 @@ class GroupServiceImpl(
@Profile("!emergency")
class CreUserDetailsServiceImpl(
private val userService: UserService
) : CreUserDetailsService {
) :
CreUserDetailsService {
override fun loadUserByUsername(username: String): UserDetails {
try {
return loadUserById(username.toLong(), true)
@ -319,6 +322,6 @@ class CreUserDetailsServiceImpl(
ignoreDefaultGroupUsers = ignoreDefaultGroupUsers,
ignoreSystemUsers = false
)
return UserDetails(user)
return SpringUser(user.id.toString(), user.password, user.authorities)
}
}

View File

@ -1,62 +1,33 @@
package dev.fyloz.colorrecipesexplorer.utils
import dev.fyloz.colorrecipesexplorer.model.account.User
import dev.fyloz.colorrecipesexplorer.SpringUser
import dev.fyloz.colorrecipesexplorer.config.properties.CreSecurityProperties
import io.jsonwebtoken.Jwts
import io.jsonwebtoken.SignatureAlgorithm
import io.jsonwebtoken.io.Encoders
import io.jsonwebtoken.security.Keys
import java.util.*
import javax.crypto.SecretKey
data class Jwt(
val subject: String,
val secret: String,
val duration: Long? = null,
val signatureAlgorithm: SignatureAlgorithm = SignatureAlgorithm.HS512,
val claims: Map<String, Any?> = mapOf()
) {
val token: String by lazy {
val builder = Jwts.builder()
.signWith(keyFromSecret(secret))
.setSubject(subject)
.addClaims(claims.filterValues { it != null })
val duration: Long,
val signatureAlgorithm: SignatureAlgorithm = SignatureAlgorithm.HS512
)
duration?.let {
val expirationMs = System.currentTimeMillis() + it
val expirationDate = Date(expirationMs)
fun SpringUser.buildJwt(properties: CreSecurityProperties) =
Jwt(this.username, properties.jwtSecret, properties.jwtDuration).build()
builder.setExpiration(expirationDate)
}
fun Jwt.build(): String {
val expirationMs = System.currentTimeMillis() + this.duration
val expirationDate = Date(expirationMs)
builder.compact()
}
val base64Secret = Encoders.BASE64.encode(this.secret.toByteArray())
val key = Keys.hmacShaKeyFor(base64Secret.toByteArray())
return Jwts.builder()
.setSubject(this.subject)
.setExpiration(expirationDate)
.signWith(key)
.compact()
}
/** Build a [Jwt] for the given [User]. */
fun User.buildJwt(secret: String, duration: Long?) =
Jwt(
subject = this.id.toString(),
secret,
duration,
claims = mapOf(
"groupId" to this.group?.id,
"groupName" to this.group?.name
)
)
/** Parses the given [jwt] string. */
fun parseJwt(jwt: String, secret: String) =
with(
Jwts.parserBuilder()
.setSigningKey(keyFromSecret(secret))
.build()
.parseClaimsJws(jwt)
) {
Jwt(this.body.subject, secret)
}
/** Creates a base64 encoded [SecretKey] from the given [secret]. */
private fun keyFromSecret(secret: String) =
with(Encoders.BASE64.encode(secret.toByteArray())) {
Keys.hmacShaKeyFor(this.toByteArray())
}

View File

@ -3,7 +3,7 @@ server.port=9090
# CRE
cre.server.data-directory=data
cre.server.config-directory=config
cre.security.jwt-secret=CtnvGQjgZ44A1fh295gE78WWOgl8InrbwBgQsMy0
cre.security.jwt-secret=CtnvGQjgZ44A1fh295gE
cre.security.jwt-duration=18000000
cre.security.aes-secret=blabla
# Root user