Skip to content

Commit

Permalink
Remove privateKey from REST API responses
Browse files Browse the repository at this point in the history 
The privateKey field is now returned only on API KEY create
  • Loading branch information
@MDeLuise @Coduz
MDeLuise authored and Coduz committed Mar 13, 2023
1 parent 49a8a87 commit cd7a66d
Show file tree
Hide file tree
Showing 7 changed files with 184 additions and 25 deletions.
51 changes: 51 additions & 0 deletions ...-api/resources/src/main/resources/openapi/credential/credential-scopeId-credentialId.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,41 @@ paths:
application/json:
schema:
$ref: './credential.yaml#/components/schemas/credential'
examples:
Password:
value:
id: LgJHjS2jvdE
scopeId: AQ
createdOn: "2023-03-09T13:58:30.385Z"
createdBy: AQ
modifiedOn: "2023-03-09T13:58:30.385Z"
modifiedBy: AQ
optlock: 0
userId: AQ
credentialType: PASSWORD
status: ENABLED
expirationDate: "2023-04-09T13:58:30.385Z"
loginFailures: 0
firstLoginFailure: "2023-03-09T13:58:30.385Z"
loginFailuresReset: "2023-03-10T13:58:30.385Z"
lockoutReset: "2023-03-09T14:58:30.385Z"
API Key:
value:
id: LgJHjS2jvdE
scopeId: AQ
createdOn: "2023-03-09T13:58:30.385Z"
createdBy: AQ
modifiedOn: "2023-03-09T13:58:30.385Z"
modifiedBy: AQ
optlock: 0
userId: AQ
credentialType: PASSWORD
status: ENABLED
expirationDate: "2023-04-09T13:58:30.385Z"
loginFailures: 0
firstLoginFailure: "2023-03-09T13:58:30.385Z"
loginFailuresReset: "2023-03-10T13:58:30.385Z"
lockoutReset: "2023-03-09T14:58:30.385Z"
401:
$ref: '../openapi.yaml#/components/responses/unauthenticated'
403:
Expand Down Expand Up @@ -58,6 +93,22 @@ paths:
application/json:
schema:
$ref: './credential.yaml#/components/schemas/credential'
example:
id: LgJHjS2jvdE
scopeId: AQ
createdOn: "2023-03-09T13:58:30.385Z"
createdBy: AQ
modifiedOn: "2023-03-09T13:58:30.385Z"
modifiedBy: AQ
optlock: 0
userId: AQ
credentialType: PASSWORD
status: ENABLED
expirationDate: "2023-04-09T13:58:30.385Z"
loginFailures: 0
firstLoginFailure: "2023-03-09T13:58:30.385Z"
loginFailuresReset: "2023-03-10T13:58:30.385Z"
lockoutReset: "2023-03-09T14:58:30.385Z"
401:
$ref: '../openapi.yaml#/components/responses/unauthenticated'
403:
Expand Down
73 changes: 72 additions & 1 deletion rest-api/resources/src/main/resources/openapi/credential/credential-scopeId.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,41 @@ paths:
application/json:
schema:
$ref: './credential.yaml#/components/schemas/credentialListResult'
example:
type: credentialListResult
limitExceeded: false
size: 2
items:
- id: LgJHjS2jvdE
scopeId: AQ
createdOn: "2023-03-09T13:58:30.385Z"
createdBy: AQ
modifiedOn: "2023-03-09T13:58:30.385Z"
modifiedBy: AQ
optlock: 0
userId: AQ
credentialType: PASSWORD
status: ENABLED
expirationDate: "2023-04-09T13:58:30.385Z"
loginFailures: 0
firstLoginFailure: "2023-03-09T13:58:30.385Z"
loginFailuresReset: "2023-03-10T13:58:30.385Z"
lockoutReset: "2023-03-09T14:58:30.385Z"
- id: LgREjS2jadE
scopeId: AQ
createdOn: "2023-03-09T13:58:30.385Z"
createdBy: AQ
modifiedOn: "2023-03-09T13:58:30.385Z"
modifiedBy: AQ
optlock: 0
userId: AQ
credentialType: API_KEY
status: ENABLED
expirationDate: "2023-04-09T13:58:30.385Z"
loginFailures: 0
firstLoginFailure: "2023-03-09T13:58:30.385Z"
loginFailuresReset: "2023-03-10T13:58:30.385Z"
lockoutReset: "2023-03-09T14:58:30.385Z"
401:
$ref: '../openapi.yaml#/components/responses/unauthenticated'
403:
Expand All @@ -60,7 +95,7 @@ paths:
value:
userId: "AQ"
credentialType: PASSWORD
credentialKey: "new-password-123!"
credentialKey: "New-password-123!"
credentialStatus: ENABLED
expirationDate: "2019-12-31T00:00:00.000Z"
apikey:
Expand All @@ -78,6 +113,42 @@ paths:
application/json:
schema:
$ref: './credential.yaml#/components/schemas/credential'
examples:
Password:
value:
id: LgJHjS2jvdE
scopeId: AQ
createdOn: "2023-03-09T13:58:30.385Z"
createdBy: AQ
modifiedOn: "2023-03-09T13:58:30.385Z"
modifiedBy: AQ
optlock: 0
userId: AQ
credentialType: PASSWORD
status: ENABLED
expirationDate: "2023-04-09T13:58:30.385Z"
loginFailures: 0
firstLoginFailure: "2023-03-09T13:58:30.385Z"
loginFailuresReset: "2023-03-10T13:58:30.385Z"
lockoutReset: "2023-03-09T14:58:30.385Z"
API Key:
value:
id: LgJHjS2jvdE
scopeId: AQ
createdOn: "2023-03-09T13:58:30.385Z"
createdBy: AQ
modifiedOn: "2023-03-09T13:58:30.385Z"
modifiedBy: AQ
credentialKey: $2a$12$BjLeC/gqcnEyk.XNo2qorul.a/v4HDuOUlfmojdSZXRSFTjymPdVm
optlock: 0
userId: AQ
credentialType: PASSWORD
status: ENABLED
expirationDate: "2023-04-09T13:58:30.385Z"
loginFailures: 0
firstLoginFailure: "2023-03-09T13:58:30.385Z"
loginFailuresReset: "2023-03-10T13:58:30.385Z"
lockoutReset: "2023-03-09T14:58:30.385Z"
401:
$ref: '../openapi.yaml#/components/responses/unauthenticated'
403:
Expand Down
1 change: 1 addition & 0 deletions rest-api/resources/src/main/resources/openapi/credential/credential.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ components:
- JWT
credentialKey:
type: string
readOnly: true
status:
type: string
enum:
Expand Down
12 changes: 12 additions & 0 deletions .../src/main/java/org/eclipse/kapua/service/authentication/credential/CredentialService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,4 +85,16 @@ CredentialListResult findByUserId(KapuaId scopeId, KapuaId userId)
* @throws KapuaException When something goes wrong
*/
void validatePassword(KapuaId scopeId, String plainPassword) throws KapuaException;


/**
* Return the {@link Credential} within the provided scopeId with the provided credentialId.
* The returned object contains the field credentialKey filled with the actual value.
*
* @param scopeId The scope ID in which to perform the find
* @param credentialId The ID of the credential to find
* @return The searched Credential
* @throws KapuaException When something goes wrong
*/
Credential findWithKey(KapuaId scopeId, KapuaId credentialId) throws KapuaException;
}
56 changes: 34 additions & 22 deletions ...java/org/eclipse/kapua/service/authentication/credential/shiro/CredentialServiceImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -207,24 +207,6 @@ public Credential update(Credential credential)
ArgumentValidator.notNull(credential.getScopeId(), "credential.scopeId");
ArgumentValidator.notNull(credential.getUserId(), "credential.userId");
ArgumentValidator.notNull(credential.getCredentialType(), "credential.credentialType");
ArgumentValidator.notEmptyOrNull(credential.getCredentialKey(), "credential.credentialKey");

// FIXME These check are not correct, since they're applied to an
// already encrypted password. Checks are moved temporary to
// GwtCredentialServiceImpl#update
// if (CredentialType.PASSWORD == credential.getCredentialType()) {
// //
// // Validate Password length
// int minPasswordLength = getMinimumPasswordLength(credential.getScopeId());
// if (credential.getCredentialKey().length() < minPasswordLength ||
// credential.getCredentialKey().length() > SYSTEM_MAXIMUM_PASSWORD_LENGTH) {
// throw new PasswordLengthException(minPasswordLength, SYSTEM_MAXIMUM_PASSWORD_LENGTH);
// }
//
// //
// // Validate Password regex
// ArgumentValidator.match(credential.getCredentialKey(), CommonsValidationRegex.PASSWORD_REGEXP, "credential.credentialKey");
// }

//
// Check access
Expand All @@ -245,7 +227,9 @@ public Credential update(Credential credential)
}

// Passing attributes??
return CredentialDAO.update(em, credential);
Credential updatedCredential = CredentialDAO.update(em, credential);
updatedCredential.setCredentialKey(null);
return updatedCredential;
});
}

Expand All @@ -264,7 +248,11 @@ public Credential find(KapuaId scopeId, KapuaId credentialId)
PermissionFactory permissionFactory = locator.getFactory(PermissionFactory.class);
authorizationService.checkPermission(permissionFactory.newPermission(AuthenticationDomains.CREDENTIAL_DOMAIN, Actions.read, scopeId));

return entityManagerSession.doAction(em -> CredentialDAO.find(em, scopeId, credentialId));
return entityManagerSession.doAction(em -> {
Credential credential = CredentialDAO.find(em, scopeId, credentialId);
credential.setCredentialKey(null);
return credential;
});
}

@Override
Expand All @@ -281,7 +269,11 @@ public CredentialListResult query(KapuaQuery query)
PermissionFactory permissionFactory = locator.getFactory(PermissionFactory.class);
authorizationService.checkPermission(permissionFactory.newPermission(AuthenticationDomains.CREDENTIAL_DOMAIN, Actions.read, query.getScopeId()));

return entityManagerSession.doAction(em -> CredentialDAO.query(em, query));
return entityManagerSession.doAction(em -> {
CredentialListResult credentials = CredentialDAO.query(em, query);
credentials.getItems().forEach(credential -> credential.setCredentialKey(null));
return credentials;
});
}

@Override
Expand Down Expand Up @@ -347,7 +339,9 @@ public CredentialListResult findByUserId(KapuaId scopeId, KapuaId userId)

//
// Query and return result
return query(query);
CredentialListResult credentials = query(query);
credentials.getItems().forEach(credential -> credential.setCredentialKey(null));
return credentials;
}

@Override
Expand Down Expand Up @@ -406,6 +400,7 @@ public Credential findByApiKey(String apiKey) throws KapuaException {
AuthorizationService authorizationService = locator.getService(AuthorizationService.class);
PermissionFactory permissionFactory = locator.getFactory(PermissionFactory.class);
authorizationService.checkPermission(permissionFactory.newPermission(AuthenticationDomains.CREDENTIAL_DOMAIN, Actions.read, credential.getId()));
credential.setCredentialKey(null);
}

return credential;
Expand Down Expand Up @@ -533,4 +528,21 @@ public void validatePassword(KapuaId scopeId, String plainPassword) throws Kapua
// Validate Password regex
ArgumentValidator.match(plainPassword, CommonsValidationRegex.PASSWORD_REGEXP, "plainPassword");
}


@Override
public Credential findWithKey(KapuaId scopeId, KapuaId credentialId) throws KapuaException {
// Validation of the fields
ArgumentValidator.notNull(scopeId, KapuaEntityAttributes.SCOPE_ID);
ArgumentValidator.notNull(credentialId, "credentialId");

//
// Check Access
KapuaLocator locator = KapuaLocator.getInstance();
AuthorizationService authorizationService = locator.getService(AuthorizationService.class);
PermissionFactory permissionFactory = locator.getFactory(PermissionFactory.class);
authorizationService.checkPermission(permissionFactory.newPermission(AuthenticationDomains.CREDENTIAL_DOMAIN, Actions.read, null));

return entityManagerSession.doAction(em -> CredentialDAO.find(em, scopeId, credentialId));
}
}
9 changes: 8 additions & 1 deletion .../java/org/eclipse/kapua/service/authentication/shiro/realm/ApiKeyAuthenticatingRealm.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,14 @@ protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authent
// Find credential
Credential credential = null;
try {
credential = KapuaSecurityUtils.doPrivileged(() -> credentialService.findByApiKey(tokenApiKey));
credential = KapuaSecurityUtils.doPrivileged(() -> {
Credential apiCredential = credentialService.findByApiKey(tokenApiKey);
if (apiCredential == null) {
return null;
} else {
return credentialService.findWithKey(apiCredential.getScopeId(), apiCredential.getId());
}
});
} catch (AuthenticationException ae) {
throw ae;
} catch (KapuaIllegalArgumentException ae) {
Expand Down
7 changes: 6 additions & 1 deletion ...ava/org/eclipse/kapua/service/authentication/shiro/realm/UserPassAuthenticatingRealm.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,12 @@ protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authent

List<Credential> passwordCredentialList = userCredentialList.getItems(c -> CredentialType.PASSWORD.equals(c.getCredentialType()));

return passwordCredentialList.isEmpty() ? null : passwordCredentialList.get(0);
if (passwordCredentialList.isEmpty()) {
return null;
} else {
Credential passwordCredential = passwordCredentialList.get(0);
return credentialService.findWithKey(passwordCredential.getScopeId(), passwordCredential.getId());
}
});
} catch (AuthenticationException ae) {
throw ae;
Expand Down

0 comments on commit cd7a66d

Please sign in to comment.