fixes #552 get client_secret from client.yml instead of secret.yml

client/src/main/java/com/networknt/client/ClientConfig.java

@@ -111,6 +111,13 @@ public Map<String, Object> getTokenConfig() {
         return tokenConfig;
     }
 
+    /**
+     *
+     * The secret has been moved back to client.yml
+     *
+     * @return Map of secret config
+     */
+    @Deprecated
     public Map<String, Object> getSecretConfig() {
         return secretConfig;
     }

client/src/main/java/com/networknt/client/Http2Client.java

@@ -113,7 +113,10 @@ public class Http2Client {
     static final String LOAD_TRUST_STORE = "loadTrustStore";
     static final String LOAD_KEY_STORE = "loadKeyStore";
     static final String TRUST_STORE = "trustStore";
+    static final String TRUST_STORE_PASS = "trustStorePass";
     static final String KEY_STORE = "keyStore";
+    static final String KEY_STORE_PASS = "keyStorePass";
+    static final String KEY_PASS = "keyPass";
     static final String KEY_STORE_PROPERTY = "javax.net.ssl.keyStore";
     static final String KEY_STORE_PASSWORD_PROPERTY = "javax.net.ssl.keyStorePassword";
     static final String TRUST_STORE_PROPERTY = "javax.net.ssl.trustStore";
@@ -442,11 +445,18 @@ public static SSLContext createSSLContext(String trustedNamesGroupKey) throws IO
                         if(logger.isInfoEnabled()) logger.info("Loading key store from system property at " + Encode.forJava(keyStoreName));
                     } else {
                         keyStoreName = (String) tlsMap.get(KEY_STORE);
-                        keyStorePass = (String) ClientConfig.get().getSecretConfig().get(SecretConstants.CLIENT_KEYSTORE_PASS);
+                        // load keyStorePass from the client.yml first and fallback to secret.yml if doesn't exist.
+                        keyStorePass = (String) tlsMap.get(KEY_STORE_PASS);
+                        if(keyStorePass == null) {
+                            keyStorePass = (String) ClientConfig.get().getSecretConfig().get(SecretConstants.CLIENT_KEYSTORE_PASS);
+                        }
                         if(logger.isInfoEnabled()) logger.info("Loading key store from config at " + Encode.forJava(keyStoreName));
                     }
                     if (keyStoreName != null && keyStorePass != null) {
-                        String keyPass = (String) ClientConfig.get().getSecretConfig().get(SecretConstants.CLIENT_KEY_PASS);
+                        String keyPass = (String) tlsMap.get(KEY_PASS);
+                        if(keyPass == null) {
+                            keyPass = (String) ClientConfig.get().getSecretConfig().get(SecretConstants.CLIENT_KEY_PASS);
+                        }
                         KeyStore keyStore = TlsUtil.loadKeyStore(keyStoreName, keyStorePass.toCharArray());
                         KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                         keyManagerFactory.init(keyStore, keyPass.toCharArray());
@@ -470,7 +480,10 @@ public static SSLContext createSSLContext(String trustedNamesGroupKey) throws IO
                         if(logger.isInfoEnabled()) logger.info("Loading trust store from system property at " + Encode.forJava(trustStoreName));
                     } else {
                         trustStoreName = (String) tlsMap.get(TRUST_STORE);
-                        trustStorePass = (String)ClientConfig.get().getSecretConfig().get(SecretConstants.CLIENT_TRUSTSTORE_PASS);
+                        trustStorePass = (String) tlsMap.get(TRUST_STORE_PASS);
+                        if(trustStorePass == null) {
+                            trustStorePass = (String)ClientConfig.get().getSecretConfig().get(SecretConstants.CLIENT_TRUSTSTORE_PASS);
+                        }
                         if(logger.isInfoEnabled()) logger.info("Loading trust store from config at " + Encode.forJava(trustStoreName));
                     }
                     if (trustStoreName != null && trustStorePass != null) {

client/src/main/java/com/networknt/client/oauth/AuthorizationCodeRequest.java

@@ -27,7 +27,6 @@
  * Created by steve on 02/09/16.
  */
 public class AuthorizationCodeRequest extends TokenRequest {
-    static Map<String, Object> secret = (Map<String, Object>)Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_SECRET);
 
     String authCode;
     String redirectUri;
@@ -39,7 +38,6 @@ public class AuthorizationCodeRequest extends TokenRequest {
     public AuthorizationCodeRequest() {
         setGrantType(AUTHORIZATION_CODE);
         Map<String, Object> clientConfig = Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_NAME);
-        // client_secret is in secret.yml instead of client.yml
         if(clientConfig != null) {
             Map<String, Object> oauthConfig = (Map<String, Object>)clientConfig.get(OAUTH);
             if(oauthConfig != null) {
@@ -52,7 +50,13 @@ public AuthorizationCodeRequest() {
                     Map<String, Object> acConfig = (Map<String, Object>) tokenConfig.get(AUTHORIZATION_CODE);
                     if(acConfig != null) {
                         setClientId((String)acConfig.get(CLIENT_ID));
-                        setClientSecret((String)secret.get(SecretConstants.AUTHORIZATION_CODE_CLIENT_SECRET));
+                        // load client secret from client.yml and fallback to secret.yml
+                        if(acConfig.get(CLIENT_SECRET) != null) {
+                            setClientSecret((String)acConfig.get(CLIENT_SECRET));
+                        } else {
+                            Map<String, Object> secret = Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_SECRET);
+                            setClientSecret((String)secret.get(SecretConstants.AUTHORIZATION_CODE_CLIENT_SECRET));
+                        }
                         setUri((String)acConfig.get(URI));
                         setScope((List<String>)acConfig.get(SCOPE));
                         setRedirectUri((String)acConfig.get(REDIRECT_URI));

client/src/main/java/com/networknt/client/oauth/ClientCredentialsRequest.java

@@ -34,13 +34,10 @@
  * @author Steve Hu
  */
 public class ClientCredentialsRequest extends TokenRequest {
-    static Map<String, Object> secret = (Map<String, Object>)Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_SECRET);
-
 
     public ClientCredentialsRequest() {
         setGrantType(CLIENT_CREDENTIALS);
         Map<String, Object> clientConfig = Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_NAME);
-        // client_secret is in secret.yml instead of client.yml
         if(clientConfig != null) {
             Map<String, Object> oauthConfig = (Map<String, Object>)clientConfig.get(OAUTH);
             if(oauthConfig != null) {
@@ -53,7 +50,13 @@ public ClientCredentialsRequest() {
                     Map<String, Object> ccConfig = (Map<String, Object>) tokenConfig.get(CLIENT_CREDENTIALS);
                     if(ccConfig != null) {
                         setClientId((String)ccConfig.get(CLIENT_ID));
-                        setClientSecret((String)secret.get(SecretConstants.CLIENT_CREDENTIALS_CLIENT_SECRET));
+                        // load client secret from client.yml and fallback to secret.yml
+                        if(ccConfig.get(CLIENT_SECRET) != null) {
+                            setClientSecret((String)ccConfig.get(CLIENT_SECRET));
+                        } else {
+                            Map<String, Object> secret = Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_SECRET);
+                            setClientSecret((String)secret.get(SecretConstants.CLIENT_CREDENTIALS_CLIENT_SECRET));
+                        }
                         setUri((String)ccConfig.get(URI));
                         //set default scope from config.
                         setScope((List<String>)ccConfig.get(SCOPE));

client/src/main/java/com/networknt/client/oauth/DerefRequest.java

@@ -29,10 +29,9 @@ public class DerefRequest {
     public static String SERVICE_ID = "serviceId";
     public static String URI = "uri";
     public static String CLIENT_ID = "client_id";
+    public static String CLIENT_SECRET = "client_secret";
     public static String ENABLE_HTTP2 = "enableHttp2";
 
-    static Map<String, Object> secret = (Map<String, Object>)Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_SECRET);
-
     String serverUrl;
     String serviceId;
     String uri;
@@ -42,7 +41,6 @@ public class DerefRequest {
 
     public DerefRequest(String token) {
         Map<String, Object> clientConfig = Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_NAME);
-        // client_secret is in secret.yml instead of client.yml
         if(clientConfig != null) {
             Map<String, Object> oauthConfig = (Map<String, Object>)clientConfig.get(OAUTH);
             if(oauthConfig != null) {
@@ -54,7 +52,13 @@ public DerefRequest(String token) {
                     setEnableHttp2(object != null && (Boolean) object);
                     setUri(derefConfig.get(URI) + "/" + token);
                     setClientId((String)derefConfig.get(CLIENT_ID));
-                    setClientSecret((String)secret.get(SecretConstants.DEREF_CLIENT_SECRET));
+                    // load client secret from client.yml and fallback to secret.yml
+                    if(derefConfig.get(CLIENT_SECRET) != null) {
+                        setClientSecret((String)derefConfig.get(CLIENT_SECRET));
+                    } else {
+                        Map<String, Object> secret = Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_SECRET);
+                        setClientSecret((String)secret.get(SecretConstants.DEREF_CLIENT_SECRET));
+                    }
                 }
             }
         }

client/src/main/java/com/networknt/client/oauth/RefreshTokenRequest.java

@@ -24,14 +24,12 @@
 import com.networknt.config.Config;
 
 public class RefreshTokenRequest extends TokenRequest {
-    static Map<String, Object> secret = (Map<String, Object>)Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_SECRET);
 
     String refreshToken;
 
     public RefreshTokenRequest() {
         setGrantType(REFRESH_TOKEN);
         Map<String, Object> clientConfig = Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_NAME);
-        // client_secret is in secret.yml instead of client.yml
         if(clientConfig != null) {
             Map<String, Object> oauthConfig = (Map<String, Object>)clientConfig.get(OAUTH);
             if(oauthConfig != null) {
@@ -44,7 +42,13 @@ public RefreshTokenRequest() {
                     Map<String, Object> rtConfig = (Map<String, Object>) tokenConfig.get(REFRESH_TOKEN);
                     if(rtConfig != null) {
                         setClientId((String)rtConfig.get(CLIENT_ID));
-                        setClientSecret((String)secret.get(SecretConstants.REFRESH_TOKEN_CLIENT_SECRET));
+                        // load client secret from client.yml and fallback to secret.yml
+                        if(rtConfig.get(CLIENT_SECRET) != null) {
+                            setClientSecret((String)rtConfig.get(CLIENT_SECRET));
+                        } else {
+                            Map<String, Object> secret = Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_SECRET);
+                            setClientSecret((String)secret.get(SecretConstants.REFRESH_TOKEN_CLIENT_SECRET));
+                        }
                         setUri((String)rtConfig.get(URI));
                         setScope((List<String>)rtConfig.get(SCOPE));
                     }

client/src/main/java/com/networknt/client/oauth/TokenRequest.java

@@ -33,6 +33,7 @@ public class TokenRequest {
     public static String REFRESH_TOKEN = "refresh_token";
     public static String URI = "uri";
     public static String CLIENT_ID = "client_id";
+    public static String CLIENT_SECRET = "client_secret";
     public static String REDIRECT_URI = "redirect_uri";
     public static String SCOPE = "scope";
     public static String CSRF = "csrf";

client/src/main/java/com/networknt/client/ssl/ClientX509ExtendedTrustManager.java

@@ -186,9 +186,9 @@ private void checkIdentity(SSLSession session, X509Certificate cert) throws Cert
 	/**
 	 * This method converts existing X509TrustManagers to ClientX509ExtendedTrustManagers. 
 	 * 
-	 * @param trustManagers
-	 * @param tlsConfig
-	 * @return
+	 * @param trustManagers array of TrustManagers
+	 * @param tlsConfig TLSConfig
+	 * @return TrustManager array
 	 */
 	public static TrustManager[] decorate(TrustManager[] trustManagers, TLSConfig tlsConfig) {
 		if (null!=trustManagers && trustManagers.length>0) {

client/src/main/resources/config/client.yml

@@ -5,14 +5,28 @@ tls:
   # if the server is using self-signed certificate, this need to be false. If true, you have to use CA signed certificate
   # or load truststore that contains the self-signed cretificate.
   verifyHostname: true
+  # The default trustedNames group used to created default SSL context. This is used to create Http2Client.SSL if set.
+  defaultGroupKey: trustedNames.local
+  # trusted hostnames, service names, service Ids, and so on.
+  # Note: localhost and 127.0.0.1 are not trustable hostname/ip in general. So, these values should not be used as trusted names in production.
+  trustedNames: 
+    local: localhost
+    negativeTest: invalidhost 
+    empty:
   # trust store contains certifictes that server needs. Enable if tls is used.
   loadTrustStore: true
   # trust store location can be specified here or system properties javax.net.ssl.trustStore and password javax.net.ssl.trustStorePassword
   trustStore: client.truststore
+  # trust store password
+  trustStorePass: password
   # key store contains client key and it should be loaded if two-way ssl is uesed.
   loadKeyStore: false
   # key store location
   keyStore: client.keystore
+  # key store password
+  keyStorePass: password
+  # private key password
+  keyPass: password
 # settings for OAuth2 server communication
 oauth:
   # OAuth 2.0 token endpoint configuration
@@ -36,8 +50,10 @@ oauth:
     authorization_code:
       # token endpoint for authorization code grant
       uri: "/oauth2/token"
-      # client_id for authorization code grant flow. client_secret is in secret.yml
+      # client_id for authorization code grant flow.
       client_id: f7d42348-c647-4efb-a52d-4c5787421e72
+      # client_secret for authorization code grant flow.
+      client_secret: f6h1FTI8Q3-7UScPZDzfXA
       # the web server uri that will receive the redirected authorization code
       redirect_uri: https://localhost:8080/authorization_code
       # optional scope, default scope in the client registration will be used if not defined.
@@ -50,6 +66,8 @@ oauth:
       uri: "/oauth2/token"
       # client_id for client credentials grant flow. client_secret is in secret.yml
       client_id: f7d42348-c647-4efb-a52d-4c5787421e72
+      # client_secret for client credentials grant flow.
+      client_secret: f6h1FTI8Q3-7UScPZDzfXA
       # optional scope, default scope in the client registration will be used if not defined.
       scope:
       - petstore.r
@@ -59,15 +77,17 @@ oauth:
       uri: "/oauth2/token"
       # client_id for refresh token grant flow. client_secret is in secret.yml
       client_id: f7d42348-c647-4efb-a52d-4c5787421e72
+      # client_secret for refresh token
+      client_secret: f6h1FTI8Q3-7UScPZDzfXA
       # optional scope, default scope in the client registration will be used if not defined.
       scope:
       - petstore.r
       - petstore.w
     # light-oauth2 key distribution endpoint configuration for token verification
     key:
-      # key distribution server url
+      # key distribution server url for token verification. It will be used if it is configured.
       server_url: https://localhost:6886
-      # the unique service id for key distribution service
+      # key serviceId for key distribution service, it will be used if above server_url is not configured.
       serviceId: com.networknt.oauth2-key-1.0.0
       # the path for the key distribution endpoint
       uri: "/oauth2/key"
@@ -79,8 +99,10 @@ oauth:
       enableHttp2: true
   # sign endpoint configuration
   sign:
-    # token server url. The default port number for token service is 6882.
+    # token server url. The default port number for token service is 6882. If this url exists, it will be used.
     server_url: https://localhost:6882
+    # token serviceId. If server_url doesn't exist, the serviceId will be used to lookup the token service.
+    serviceId: com.networknt.oauth2-token-1.0.0
     # signing endpoint for the sign request
     uri: "/oauth2/token"
     # timeout in milliseconds
@@ -93,9 +115,9 @@ oauth:
     client_secret: f6h1FTI8Q3-7UScPZDzfXA
     # the key distribution sever config for sign. It can be different then token key distribution server.
     key:
-      # key distribution server url
+      # key distribution server url. It will be used to establish connection if it exists.
       server_url: https://localhost:6886
-      # the unique service id for key distribution service
+      # the unique service id for key distribution service, it will be used to lookup key service if above url doesn't exist.
       serviceId: com.networknt.oauth2-key-1.0.0
       # the path for the key distribution endpoint
       uri: "/oauth2/key"
@@ -107,21 +129,23 @@ oauth:
       enableHttp2: true
   # de-ref by reference token to JWT token. It is separate service as it might be the external OAuth 2.0 provider.
   deref:
-    # Token service server url, this might be different than the above token server url.
+    # Token service server url, this might be different than the above token server url. The static url will be used if it is configured.
     server_url: https://localhost:6882
-    # token service unique id for OAuth 2.0 provider. Need for service lookup/discovery.
+    # token service unique id for OAuth 2.0 provider. Need for service lookup/discovery. It will be used if above server_url is not configured.
     serviceId: com.networknt.oauth2-token-1.0.0
     # set to true if the oauth2 provider supports HTTP/2
     enableHttp2: true
     # the path for the key distribution endpoint
     uri: "/oauth2/deref"
     # client_id used to access key distribution service. It can be the same client_id with token service or not.
     client_id: f7d42348-c647-4efb-a52d-4c5787421e72
+    # client_secret for deref
+    client_secret: f6h1FTI8Q3-7UScPZDzfXA
 # circuit breaker configuration for the client
 request:
   # number of timeouts/errors to break the circuit
   errorThreshold: 2
   # timeout in millisecond to indicate a client error.
   timeout: 3000
   # reset the circuit after this timeout in millisecond
-  resetTimeout: 7000
+  resetTimeout: 7000

client/src/main/resources/config/secret.yml

@@ -18,28 +18,28 @@ serverTruststorePass: password
 
 # Client section
 
-# Key store password, the path of keystore is defined in server.yml
+# Client Key store password, please use client.yml to define it.
 clientKeystorePass: password
 
-# Key password, the key is in keystore
+# Key password, the key is in keystore. Please use client.yml instead.
 clientKeyPass: password
 
-# Trust store password, the path of truststore is defined in server.yml
+# Client Trust store password, please use client.yml to define it.
 clientTruststorePass: password
 
-# Authorization code client secret for OAuth2 server
+# Authorization code client secret for OAuth2 server. Please use client.yml
 authorizationCodeClientSecret: f6h1FTI8Q3-7UScPZDzfXA
 
-# Client credentials client secret for OAuth2 server
+# Client credentials client secret for OAuth2 server. Please use client.yml
 clientCredentialsClientSecret: f6h1FTI8Q3-7UScPZDzfXA
 
-# Fresh token client secret for OAuth2 server
+# Fresh token client secret for OAuth2 server. Please use client.yml
 refreshTokenClientSecret: f6h1FTI8Q3-7UScPZDzfXA
 
-# Key distribution client secret for OAuth2 server
+# Key distribution client secret for OAuth2 server. Please use client.yml
 keyClientSecret: f6h1FTI8Q3-7UScPZDzfXA
 
-# De-Reference access token to JWT token client secret.
+# De-Reference access token to JWT token client secret. Please use client.yml
 derefClientSecret: f6h1FTI8Q3-7UScPZDzfXA
 
 # Consul service registry and discovery