Merge 7427c23 into 805d6b0

FAForever · Jul 21, 2019 · 5b00d57 · 5b00d57
2 parents 805d6b0 + 7427c23
commit 5b00d57
Show file tree

Hide file tree

Showing 7 changed files with 91 additions and 21 deletions.
diff --git a/src/inttest/resources/config/application.yml b/src/inttest/resources/config/application.yml
@@ -22,7 +22,36 @@ spring:
 
 faf-api:
   jwt:
-    secret: banana
+    secretKey: |-
+      -----BEGIN RSA PRIVATE KEY-----
+      MIIEpgIBAAKCAQEAzTpJ/ytBu3dih41bEqRnchNfkyCigIWDHrbBa+0Szw853Oew
+      LJ1Zwe5wh9L8nxWD7f+pVDg5dAKXAJabmx6vuXhJjekIxrHTIRdxebO2norhAK/Q
+      OuOZ4NKinShpWwyLgmPcJZaKq1TNtVm7No/3CQK5XugDJ5NG2c1RNEAdk3pk2EkB
+      lhhObJW2vUY+KmJ+4ndwZKeyJD4CTr4sJK7cWRf2Ht2RWq6omFlsnQiPGyO9/VYo
+      YQz3fVTiXdf4+xg6toBaVvult0YPS5/jm611RrsMwLM4ZpWkUlytxR/N8/oLb9rD
+      nO9+OQZDpIsKfNd3ZAqg/wZTHIcb474UHjUTiQIDAQABAoIBAQCMuO1IZNbbvs72
+      97x9GfI8zH/6mKQU0HfKNbKHWLZO+LfKe6vXy8ViLydGWywRwWUHawkm0K7El4oH
+      Qz5LrUz9NjfpcOMtq32D8VlEBDCyobQLDoMP/kTjXktWzAECB6YZsHOh6ooHVU0A
+      jxjKHwlbSlzlcN3I4znv2tNVqqkdF9Gbg7wUmN9n0qpj+7kDtkixJy3jm9YLxKCS
+      pNZ1UUjGKtVgl/1871slNUtANHj/xCnkYrOncrIXf472pEeSxBU5JlI4fILcyTtG
+      B9btuYBk7Z239TWDEZTqIyst0QGteNRsjE+gkB9WV1ra9JPPWDiBYye4qqaIs3al
+      jd3lkMApAoGBAP+i1aJ/c8XV18eTMYLmQZRnkjrkxyQMhJ/x+6tow6p6A16lDwHh
+      tRoyQk0XdTpQegu+YtdBXSRk6zNzE2njWEVOMK4/Zqt5a1yMSE/8MMQVler1ChdF
+      PWhZCPb+CfKm1RHXpFMsmBZx+7MumLQwjCtZfQl8YMt34gfVcXRSZ50DAoGBAM2F
+      FVrTTUVaGv6zjdO7K+5eUj0VRR2nGId5nIWqouQryJaizeBZfWatjDYVbl0qHFy2
+      QnHA+3UEsVWOkJG90rZcP4UWcDy86e5T/3FR2Xfy3kW10Gfe6hrjjbjYflleD5Qg
+      uZ9ovk/TZjTjvMWisNBSW1FILz9SMLWHoCFPGOmDAoGBANKRb4X1lAiOt7n13d+k
+      CLrUgVgvoHVqNkiFi7dKiXnAHUx1i6ISKBoW8hQMUYyiQ5Wu0j3a4n0a/74WeRRM
+      pyYXXPP613hBgJTwHJR9+DFcUmwCQbifWRC93iuNX+ZXU8Tpqrq0TeaXJywWIsSy
+      BJOkl+EbaaPP8Qhg4Z5eTmi/AoGBAMzSDyA/acjuLe0cwQH8jaG3+rnJkuIkf3u0
+      pVtJXaGMSRJnGkq2pRVJbG0SGrVanH2BXuLDc1eB38HmnQnCZlc7xEo8vIqrs2/D
+      4tXqvpKeRwquUg7Sx/kYQ0uu5uzloxz7KENIPjKL+lZHiQBmTVSwXzW4fO3cWZLw
+      oZPQooFFAoGBAMVvhsOmlpwyyS9s/CVIMirvLQEuEIIS5fMcnmCmu8P49ZZ7YSVf
+      2OJOSGj+lWkEMf2qOW7kYl303GrESeJ36KmLbDthnH+p6RSq5NzN5CAucffA0tsa
+      keX0a6YHVu9doUPhUFJdbgg8FIL1FVEJROQckMAiDcYg2mFXmtaVTjqX
+      -----END RSA PRIVATE KEY-----
+    publicKey: |-
+      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNOkn/K0G7d2KHjVsSpGdyE1+TIKKAhYMetsFr7RLPDznc57AsnVnB7nCH0vyfFYPt/6lUODl0ApcAlpubHq+5eEmN6QjGsdMhF3F5s7aeiuEAr9A645ng0qKdKGlbDIuCY9wlloqrVM21Wbs2j/cJArle6AMnk0bZzVE0QB2TemTYSQGWGE5slba9Rj4qYn7id3Bkp7IkPgJOviwkrtxZF/Ye3ZFarqiYWWydCI8bI739VihhDPd9VOJd1/j7GDq2gFpW+6W3Rg9Ln+ObrXVGuwzAszhmlaRSXK3FH83z+gtv2sOc7345BkOkiwp813dkCqD/BlMchxvjvhQeNROJ api@faforever.com
   map:
     target-directory: "build/cache/map/maps"
     directory-preview-path-small: "build/cache/map_previews/small"

diff --git a/src/main/java/com/faforever/api/config/FafApiProperties.java b/src/main/java/com/faforever/api/config/FafApiProperties.java
@@ -50,7 +50,8 @@ public static class Jwt {
     /**
      * The secret used for JWT token generation.
      */
-    private String secret;
+    private String secretKey;
+    private String publicKey;
     private int accessTokenValiditySeconds = 3600;
     private int refreshTokenValiditySeconds = 3600;
   }

diff --git a/src/main/java/com/faforever/api/config/security/oauth2/OAuthJwtConfig.java b/src/main/java/com/faforever/api/config/security/oauth2/OAuthJwtConfig.java
@@ -37,7 +37,8 @@ public TokenStore tokenStore(JwtAccessTokenConverter jwtAccessTokenConverter) {
   @Bean
   protected JwtAccessTokenConverter jwtAccessTokenConverter() {
     JwtAccessTokenConverter jwtAccessTokenConverter = new JwtAccessTokenConverter();
-    jwtAccessTokenConverter.setSigningKey(fafApiProperties.getJwt().getSecret());
+    jwtAccessTokenConverter.setSigningKey(fafApiProperties.getJwt().getSecretKey());
+    jwtAccessTokenConverter.setVerifierKey(fafApiProperties.getJwt().getPublicKey());
     ((DefaultAccessTokenConverter) jwtAccessTokenConverter.getAccessTokenConverter()).setUserTokenConverter(new FafUserAuthenticationConverter());
     return jwtAccessTokenConverter;
   }

diff --git a/src/main/java/com/faforever/api/security/FafTokenService.java b/src/main/java/com/faforever/api/security/FafTokenService.java
@@ -10,7 +10,8 @@
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.security.jwt.JwtHelper;
-import org.springframework.security.jwt.crypto.sign.MacSigner;
+import org.springframework.security.jwt.crypto.sign.RsaSigner;
+import org.springframework.security.jwt.crypto.sign.RsaVerifier;
 import org.springframework.stereotype.Service;
 import org.springframework.util.Assert;
 
@@ -28,11 +29,13 @@ public class FafTokenService {
   static final String KEY_LIFETIME = "lifetime";
 
   private final ObjectMapper objectMapper;
-  private final MacSigner macSigner;
+  private final RsaSigner rsaSigner;
+  private final RsaVerifier rsaVerifier;
 
   public FafTokenService(ObjectMapper objectMapper, FafApiProperties properties) {
     this.objectMapper = objectMapper;
-    this.macSigner = new MacSigner(properties.getJwt().getSecret());
+    this.rsaSigner = new RsaSigner(properties.getJwt().getSecretKey());
+    this.rsaVerifier = new RsaVerifier(properties.getJwt().getPublicKey());
   }
 
   /**
@@ -53,7 +56,7 @@ public String createToken(@NotNull FafTokenType type, @NotNull TemporalAmount li
 
     log.debug("Creating token of type '{}' expiring at '{}' with attributes: {}", type, expiresAt, attributes);
 
-    return JwtHelper.encode(objectMapper.writeValueAsString(claims), macSigner).getEncoded();
+    return JwtHelper.encode(objectMapper.writeValueAsString(claims), rsaSigner).getEncoded();
   }
 
   /**
@@ -67,7 +70,7 @@ public Map<String, String> resolveToken(@NotNull FafTokenType expectedTokenType,
     Map<String, String> claims;
 
     try {
-      claims = objectMapper.readValue(JwtHelper.decodeAndVerify(token, macSigner).getClaims(), new TypeReference<Map<String, String>>() {
+      claims = objectMapper.readValue(JwtHelper.decodeAndVerify(token, rsaVerifier).getClaims(), new TypeReference<Map<String, String>>() {
       });
     } catch (JsonProcessingException | IllegalArgumentException e) {
       log.warn("Unparseable token: {}", token);

diff --git a/src/main/java/com/faforever/api/security/JwtService.java b/src/main/java/com/faforever/api/security/JwtService.java
@@ -4,28 +4,31 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.springframework.security.jwt.Jwt;
 import org.springframework.security.jwt.JwtHelper;
-import org.springframework.security.jwt.crypto.sign.MacSigner;
+import org.springframework.security.jwt.crypto.sign.RsaSigner;
+import org.springframework.security.jwt.crypto.sign.RsaVerifier;
 import org.springframework.stereotype.Service;
 
 import javax.inject.Inject;
 import java.io.IOException;
 
 @Service
 public class JwtService {
-  private final MacSigner macSigner;
+  private final RsaSigner rsaSigner;
+  private final RsaVerifier rsaVerifier;
   private final ObjectMapper objectMapper;
 
   @Inject
   public JwtService(FafApiProperties fafApiProperties, ObjectMapper objectMapper) {
-    this.macSigner = new MacSigner(fafApiProperties.getJwt().getSecret());
+    this.rsaSigner = new RsaSigner(fafApiProperties.getJwt().getSecretKey());
+    this.rsaVerifier = new RsaVerifier(fafApiProperties.getJwt().getPublicKey());
     this.objectMapper = objectMapper;
   }
 
   public String sign(Object data) throws IOException {
-    return JwtHelper.encode(objectMapper.writeValueAsString(data), this.macSigner).getEncoded();
+    return JwtHelper.encode(objectMapper.writeValueAsString(data), this.rsaSigner).getEncoded();
   }
 
   public Jwt decodeAndVerify(String stringToken) {
-    return JwtHelper.decodeAndVerify(stringToken, this.macSigner);
+    return JwtHelper.decodeAndVerify(stringToken, this.rsaVerifier);
   }
 }
diff --git a/src/test/java/com/faforever/api/security/FafTokenServiceTest.java b/src/test/java/com/faforever/api/security/FafTokenServiceTest.java
@@ -13,7 +13,8 @@
 import org.junit.rules.ExpectedException;
 import org.springframework.security.jwt.Jwt;
 import org.springframework.security.jwt.JwtHelper;
-import org.springframework.security.jwt.crypto.sign.MacSigner;
+import org.springframework.security.jwt.crypto.sign.RsaSigner;
+import org.springframework.security.jwt.crypto.sign.RsaVerifier;
 
 import java.time.Duration;
 import java.util.Collections;
@@ -24,15 +25,46 @@
 import static org.junit.Assert.assertTrue;
 
 public class FafTokenServiceTest {
-  private static final String TEST_SECRET = "banana";
-  private final MacSigner macSigner;
+  private static final String TEST_SECRET_KEY =
+    "-----BEGIN RSA PRIVATE KEY-----\n" +
+      "MIIEpgIBAAKCAQEAzTpJ/ytBu3dih41bEqRnchNfkyCigIWDHrbBa+0Szw853Oew\n" +
+      "LJ1Zwe5wh9L8nxWD7f+pVDg5dAKXAJabmx6vuXhJjekIxrHTIRdxebO2norhAK/Q\n" +
+      "OuOZ4NKinShpWwyLgmPcJZaKq1TNtVm7No/3CQK5XugDJ5NG2c1RNEAdk3pk2EkB\n" +
+      "lhhObJW2vUY+KmJ+4ndwZKeyJD4CTr4sJK7cWRf2Ht2RWq6omFlsnQiPGyO9/VYo\n" +
+      "YQz3fVTiXdf4+xg6toBaVvult0YPS5/jm611RrsMwLM4ZpWkUlytxR/N8/oLb9rD\n" +
+      "nO9+OQZDpIsKfNd3ZAqg/wZTHIcb474UHjUTiQIDAQABAoIBAQCMuO1IZNbbvs72\n" +
+      "97x9GfI8zH/6mKQU0HfKNbKHWLZO+LfKe6vXy8ViLydGWywRwWUHawkm0K7El4oH\n" +
+      "Qz5LrUz9NjfpcOMtq32D8VlEBDCyobQLDoMP/kTjXktWzAECB6YZsHOh6ooHVU0A\n" +
+      "jxjKHwlbSlzlcN3I4znv2tNVqqkdF9Gbg7wUmN9n0qpj+7kDtkixJy3jm9YLxKCS\n" +
+      "pNZ1UUjGKtVgl/1871slNUtANHj/xCnkYrOncrIXf472pEeSxBU5JlI4fILcyTtG\n" +
+      "B9btuYBk7Z239TWDEZTqIyst0QGteNRsjE+gkB9WV1ra9JPPWDiBYye4qqaIs3al\n" +
+      "jd3lkMApAoGBAP+i1aJ/c8XV18eTMYLmQZRnkjrkxyQMhJ/x+6tow6p6A16lDwHh\n" +
+      "tRoyQk0XdTpQegu+YtdBXSRk6zNzE2njWEVOMK4/Zqt5a1yMSE/8MMQVler1ChdF\n" +
+      "PWhZCPb+CfKm1RHXpFMsmBZx+7MumLQwjCtZfQl8YMt34gfVcXRSZ50DAoGBAM2F\n" +
+      "FVrTTUVaGv6zjdO7K+5eUj0VRR2nGId5nIWqouQryJaizeBZfWatjDYVbl0qHFy2\n" +
+      "QnHA+3UEsVWOkJG90rZcP4UWcDy86e5T/3FR2Xfy3kW10Gfe6hrjjbjYflleD5Qg\n" +
+      "uZ9ovk/TZjTjvMWisNBSW1FILz9SMLWHoCFPGOmDAoGBANKRb4X1lAiOt7n13d+k\n" +
+      "CLrUgVgvoHVqNkiFi7dKiXnAHUx1i6ISKBoW8hQMUYyiQ5Wu0j3a4n0a/74WeRRM\n" +
+      "pyYXXPP613hBgJTwHJR9+DFcUmwCQbifWRC93iuNX+ZXU8Tpqrq0TeaXJywWIsSy\n" +
+      "BJOkl+EbaaPP8Qhg4Z5eTmi/AoGBAMzSDyA/acjuLe0cwQH8jaG3+rnJkuIkf3u0\n" +
+      "pVtJXaGMSRJnGkq2pRVJbG0SGrVanH2BXuLDc1eB38HmnQnCZlc7xEo8vIqrs2/D\n" +
+      "4tXqvpKeRwquUg7Sx/kYQ0uu5uzloxz7KENIPjKL+lZHiQBmTVSwXzW4fO3cWZLw\n" +
+      "oZPQooFFAoGBAMVvhsOmlpwyyS9s/CVIMirvLQEuEIIS5fMcnmCmu8P49ZZ7YSVf\n" +
+      "2OJOSGj+lWkEMf2qOW7kYl303GrESeJ36KmLbDthnH+p6RSq5NzN5CAucffA0tsa\n" +
+      "keX0a6YHVu9doUPhUFJdbgg8FIL1FVEJROQckMAiDcYg2mFXmtaVTjqX\n" +
+      "-----END RSA PRIVATE KEY-----";
+  private static final String TEST_PUBLIC_KEY = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNOkn/K0G7d2KHjVsSpGdyE1+TIKKAhYMetsFr7RLPDznc57AsnVnB7nCH0vyfFYPt/6lUODl0ApcAlpubHq+5eEmN6QjGsdMhF3F5s7aeiuEAr9A645ng0qKdKGlbDIuCY9wlloqrVM21Wbs2j/cJArle6AMnk0bZzVE0QB2TemTYSQGWGE5slba9Rj4qYn7id3Bkp7IkPgJOviwkrtxZF/Ye3ZFarqiYWWydCI8bI739VihhDPd9VOJd1/j7GDq2gFpW+6W3Rg9Ln+ObrXVGuwzAszhmlaRSXK3FH83z+gtv2sOc7345BkOkiwp813dkCqD/BlMchxvjvhQeNROJ api@faforever.com";
+  private final RsaSigner rsaSigner;
+  private final RsaVerifier rsaVerifier;
+
   @Rule
   public ExpectedException expectedException = ExpectedException.none();
   private ObjectMapper objectMapper;
   private FafTokenService instance;
 
   public FafTokenServiceTest() {
-    this.macSigner = new MacSigner(TEST_SECRET);
+    this.rsaSigner = new RsaSigner(TEST_SECRET_KEY);
+    this.rsaVerifier = new RsaVerifier(TEST_PUBLIC_KEY);
   }
 
   @Before
@@ -41,7 +73,8 @@ public void setUp() {
     objectMapper.registerModule(new JavaTimeModule());
 
     FafApiProperties properties = new FafApiProperties();
-    properties.getJwt().setSecret(TEST_SECRET);
+    properties.getJwt().setSecretKey(TEST_SECRET_KEY);
+    properties.getJwt().setPublicKey(TEST_PUBLIC_KEY);
 
     instance = new FafTokenService(objectMapper, properties);
   }
@@ -50,7 +83,7 @@ public void setUp() {
   public void createToken() throws Exception {
     String token = instance.createToken(FafTokenType.REGISTRATION, Duration.ofSeconds(100), Collections.emptyMap());
 
-    Jwt jwt = JwtHelper.decodeAndVerify(token, macSigner);
+    Jwt jwt = JwtHelper.decodeAndVerify(token, rsaVerifier);
     Map<String, String> claims = objectMapper.readValue(jwt.getClaims(), new TypeReference<Map<String, String>>() {
     });
 
@@ -64,7 +97,7 @@ public void createTokenWithAttributes() throws Exception {
     Map<String, String> attributes = ImmutableMap.of("attribute1", "value1", "attribute2", "value2");
     String token = instance.createToken(FafTokenType.REGISTRATION, Duration.ofSeconds(100), attributes);
 
-    Jwt jwt = JwtHelper.decodeAndVerify(token, macSigner);
+    Jwt jwt = JwtHelper.decodeAndVerify(token, rsaVerifier);
     Map<String, String> claims = objectMapper.readValue(jwt.getClaims(), new TypeReference<Map<String, String>>() {
     });
 

diff --git a/src/test/java/com/faforever/api/user/UserServiceTest.java b/src/test/java/com/faforever/api/user/UserServiceTest.java
@@ -107,7 +107,7 @@ private static User createUser(int id, String name, String password, String emai
   @Before
   public void setUp() {
     properties = new FafApiProperties();
-    properties.getJwt().setSecret(TEST_SECRET);
+    properties.getJwt().setSecretKey(TEST_SECRET);
     properties.getLinkToSteam().setSteamRedirectUrlFormat("%s");
     instance = new UserService(emailService, playerRepository, userRepository, nameRecordRepository, properties, anopeUserRepository, fafTokenService, steamService, Optional.of(mauticService), globalRatingRepository, ladder1v1RatingRepository);