Skip to content

Commit

Permalink
fixes networknt#552 get client_secret from client.yml instead of secr…
Browse files Browse the repository at this point in the history 
…et.yml (networknt#553)
  • Loading branch information
@stevehu
stevehu committed Jun 19, 2019
1 parent 8d239db commit 9b0560c
Show file tree
Hide file tree
Showing 11 changed files with 160 additions and 53 deletions.
7 changes: 7 additions & 0 deletions client/src/main/java/com/networknt/client/ClientConfig.java
View file
Expand Up @@ -111,6 +111,13 @@ public Map<String, Object> getTokenConfig() {
return tokenConfig;
}

/**
*
* The secret has been moved back to client.yml
*
* @return Map of secret config
*/
@Deprecated
public Map<String, Object> getSecretConfig() {
return secretConfig;
}
Expand Down
19 changes: 16 additions & 3 deletions client/src/main/java/com/networknt/client/Http2Client.java
View file
Expand Up @@ -113,7 +113,10 @@ public class Http2Client {
static final String LOAD_TRUST_STORE = "loadTrustStore";
static final String LOAD_KEY_STORE = "loadKeyStore";
static final String TRUST_STORE = "trustStore";
static final String TRUST_STORE_PASS = "trustStorePass";
static final String KEY_STORE = "keyStore";
static final String KEY_STORE_PASS = "keyStorePass";
static final String KEY_PASS = "keyPass";
static final String KEY_STORE_PROPERTY = "javax.net.ssl.keyStore";
static final String KEY_STORE_PASSWORD_PROPERTY = "javax.net.ssl.keyStorePassword";
static final String TRUST_STORE_PROPERTY = "javax.net.ssl.trustStore";
Expand Down Expand Up @@ -442,11 +445,18 @@ public static SSLContext createSSLContext(String trustedNamesGroupKey) throws IO
if(logger.isInfoEnabled()) logger.info("Loading key store from system property at " + Encode.forJava(keyStoreName));
} else {
keyStoreName = (String) tlsMap.get(KEY_STORE);
keyStorePass = (String) ClientConfig.get().getSecretConfig().get(SecretConstants.CLIENT_KEYSTORE_PASS);
// load keyStorePass from the client.yml first and fallback to secret.yml if doesn't exist.
keyStorePass = (String) tlsMap.get(KEY_STORE_PASS);
if(keyStorePass == null) {
keyStorePass = (String) ClientConfig.get().getSecretConfig().get(SecretConstants.CLIENT_KEYSTORE_PASS);
}
if(logger.isInfoEnabled()) logger.info("Loading key store from config at " + Encode.forJava(keyStoreName));
}
if (keyStoreName != null && keyStorePass != null) {
String keyPass = (String) ClientConfig.get().getSecretConfig().get(SecretConstants.CLIENT_KEY_PASS);
String keyPass = (String) tlsMap.get(KEY_PASS);
if(keyPass == null) {
keyPass = (String) ClientConfig.get().getSecretConfig().get(SecretConstants.CLIENT_KEY_PASS);
}
KeyStore keyStore = TlsUtil.loadKeyStore(keyStoreName, keyStorePass.toCharArray());
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, keyPass.toCharArray());
Expand All @@ -470,7 +480,10 @@ public static SSLContext createSSLContext(String trustedNamesGroupKey) throws IO
if(logger.isInfoEnabled()) logger.info("Loading trust store from system property at " + Encode.forJava(trustStoreName));
} else {
trustStoreName = (String) tlsMap.get(TRUST_STORE);
trustStorePass = (String)ClientConfig.get().getSecretConfig().get(SecretConstants.CLIENT_TRUSTSTORE_PASS);
trustStorePass = (String) tlsMap.get(TRUST_STORE_PASS);
if(trustStorePass == null) {
trustStorePass = (String)ClientConfig.get().getSecretConfig().get(SecretConstants.CLIENT_TRUSTSTORE_PASS);
}
if(logger.isInfoEnabled()) logger.info("Loading trust store from config at " + Encode.forJava(trustStoreName));
}
if (trustStoreName != null && trustStorePass != null) {
Expand Down
10 changes: 7 additions & 3 deletions client/src/main/java/com/networknt/client/oauth/AuthorizationCodeRequest.java
View file
Expand Up @@ -27,7 +27,6 @@
* Created by steve on 02/09/16.
*/
public class AuthorizationCodeRequest extends TokenRequest {
static Map<String, Object> secret = (Map<String, Object>)Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_SECRET);

String authCode;
String redirectUri;
Expand All @@ -39,7 +38,6 @@ public class AuthorizationCodeRequest extends TokenRequest {
public AuthorizationCodeRequest() {
setGrantType(AUTHORIZATION_CODE);
Map<String, Object> clientConfig = Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_NAME);
// client_secret is in secret.yml instead of client.yml
if(clientConfig != null) {
Map<String, Object> oauthConfig = (Map<String, Object>)clientConfig.get(OAUTH);
if(oauthConfig != null) {
Expand All @@ -52,7 +50,13 @@ public AuthorizationCodeRequest() {
Map<String, Object> acConfig = (Map<String, Object>) tokenConfig.get(AUTHORIZATION_CODE);
if(acConfig != null) {
setClientId((String)acConfig.get(CLIENT_ID));
setClientSecret((String)secret.get(SecretConstants.AUTHORIZATION_CODE_CLIENT_SECRET));
// load client secret from client.yml and fallback to secret.yml
if(acConfig.get(CLIENT_SECRET) != null) {
setClientSecret((String)acConfig.get(CLIENT_SECRET));
} else {
Map<String, Object> secret = Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_SECRET);
setClientSecret((String)secret.get(SecretConstants.AUTHORIZATION_CODE_CLIENT_SECRET));
}
setUri((String)acConfig.get(URI));
setScope((List<String>)acConfig.get(SCOPE));
setRedirectUri((String)acConfig.get(REDIRECT_URI));
Expand Down
11 changes: 7 additions & 4 deletions client/src/main/java/com/networknt/client/oauth/ClientCredentialsRequest.java
View file
Expand Up @@ -34,13 +34,10 @@
* @author Steve Hu
*/
public class ClientCredentialsRequest extends TokenRequest {
static Map<String, Object> secret = (Map<String, Object>)Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_SECRET);


public ClientCredentialsRequest() {
setGrantType(CLIENT_CREDENTIALS);
Map<String, Object> clientConfig = Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_NAME);
// client_secret is in secret.yml instead of client.yml
if(clientConfig != null) {
Map<String, Object> oauthConfig = (Map<String, Object>)clientConfig.get(OAUTH);
if(oauthConfig != null) {
Expand All @@ -53,7 +50,13 @@ public ClientCredentialsRequest() {
Map<String, Object> ccConfig = (Map<String, Object>) tokenConfig.get(CLIENT_CREDENTIALS);
if(ccConfig != null) {
setClientId((String)ccConfig.get(CLIENT_ID));
setClientSecret((String)secret.get(SecretConstants.CLIENT_CREDENTIALS_CLIENT_SECRET));
// load client secret from client.yml and fallback to secret.yml
if(ccConfig.get(CLIENT_SECRET) != null) {
setClientSecret((String)ccConfig.get(CLIENT_SECRET));
} else {
Map<String, Object> secret = Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_SECRET);
setClientSecret((String)secret.get(SecretConstants.CLIENT_CREDENTIALS_CLIENT_SECRET));
}
setUri((String)ccConfig.get(URI));
//set default scope from config.
setScope((List<String>)ccConfig.get(SCOPE));
Expand Down
12 changes: 8 additions & 4 deletions client/src/main/java/com/networknt/client/oauth/DerefRequest.java
View file
Expand Up @@ -29,10 +29,9 @@ public class DerefRequest {
public static String SERVICE_ID = "serviceId";
public static String URI = "uri";
public static String CLIENT_ID = "client_id";
public static String CLIENT_SECRET = "client_secret";
public static String ENABLE_HTTP2 = "enableHttp2";

static Map<String, Object> secret = (Map<String, Object>)Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_SECRET);

String serverUrl;
String serviceId;
String uri;
Expand All @@ -42,7 +41,6 @@ public class DerefRequest {

public DerefRequest(String token) {
Map<String, Object> clientConfig = Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_NAME);
// client_secret is in secret.yml instead of client.yml
if(clientConfig != null) {
Map<String, Object> oauthConfig = (Map<String, Object>)clientConfig.get(OAUTH);
if(oauthConfig != null) {
Expand All @@ -54,7 +52,13 @@ public DerefRequest(String token) {
setEnableHttp2(object != null && (Boolean) object);
setUri(derefConfig.get(URI) + "/" + token);
setClientId((String)derefConfig.get(CLIENT_ID));
setClientSecret((String)secret.get(SecretConstants.DEREF_CLIENT_SECRET));
// load client secret from client.yml and fallback to secret.yml
if(derefConfig.get(CLIENT_SECRET) != null) {
setClientSecret((String)derefConfig.get(CLIENT_SECRET));
} else {
Map<String, Object> secret = Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_SECRET);
setClientSecret((String)secret.get(SecretConstants.DEREF_CLIENT_SECRET));
}
}
}
}
Expand Down
10 changes: 7 additions & 3 deletions client/src/main/java/com/networknt/client/oauth/RefreshTokenRequest.java
View file
Expand Up @@ -24,14 +24,12 @@
import com.networknt.config.Config;

public class RefreshTokenRequest extends TokenRequest {
static Map<String, Object> secret = (Map<String, Object>)Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_SECRET);

String refreshToken;

public RefreshTokenRequest() {
setGrantType(REFRESH_TOKEN);
Map<String, Object> clientConfig = Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_NAME);
// client_secret is in secret.yml instead of client.yml
if(clientConfig != null) {
Map<String, Object> oauthConfig = (Map<String, Object>)clientConfig.get(OAUTH);
if(oauthConfig != null) {
Expand All @@ -44,7 +42,13 @@ public RefreshTokenRequest() {
Map<String, Object> rtConfig = (Map<String, Object>) tokenConfig.get(REFRESH_TOKEN);
if(rtConfig != null) {
setClientId((String)rtConfig.get(CLIENT_ID));
setClientSecret((String)secret.get(SecretConstants.REFRESH_TOKEN_CLIENT_SECRET));
// load client secret from client.yml and fallback to secret.yml
if(rtConfig.get(CLIENT_SECRET) != null) {
setClientSecret((String)rtConfig.get(CLIENT_SECRET));
} else {
Map<String, Object> secret = Config.getInstance().getJsonMapConfig(Http2Client.CONFIG_SECRET);
setClientSecret((String)secret.get(SecretConstants.REFRESH_TOKEN_CLIENT_SECRET));
}
setUri((String)rtConfig.get(URI));
setScope((List<String>)rtConfig.get(SCOPE));
}
Expand Down
1 change: 1 addition & 0 deletions client/src/main/java/com/networknt/client/oauth/TokenRequest.java
View file
Expand Up @@ -33,6 +33,7 @@ public class TokenRequest {
public static String REFRESH_TOKEN = "refresh_token";
public static String URI = "uri";
public static String CLIENT_ID = "client_id";
public static String CLIENT_SECRET = "client_secret";
public static String REDIRECT_URI = "redirect_uri";
public static String SCOPE = "scope";
public static String CSRF = "csrf";
Expand Down
6 changes: 3 additions & 3 deletions client/src/main/java/com/networknt/client/ssl/ClientX509ExtendedTrustManager.java
View file
Expand Up @@ -186,9 +186,9 @@ private void checkIdentity(SSLSession session, X509Certificate cert) throws Cert
/**
* This method converts existing X509TrustManagers to ClientX509ExtendedTrustManagers.
*
* @param trustManagers
* @param tlsConfig
* @return
* @param trustManagers array of TrustManagers
* @param tlsConfig TLSConfig
* @return TrustManager array
*/
public static TrustManager[] decorate(TrustManager[] trustManagers, TLSConfig tlsConfig) {
if (null!=trustManagers && trustManagers.length>0) {
Expand Down
42 changes: 33 additions & 9 deletions client/src/main/resources/config/client.yml
View file
Expand Up @@ -5,14 +5,28 @@ tls:
# if the server is using self-signed certificate, this need to be false. If true, you have to use CA signed certificate
# or load truststore that contains the self-signed cretificate.
verifyHostname: true
# The default trustedNames group used to created default SSL context. This is used to create Http2Client.SSL if set.
defaultGroupKey: trustedNames.local
# trusted hostnames, service names, service Ids, and so on.
# Note: localhost and 127.0.0.1 are not trustable hostname/ip in general. So, these values should not be used as trusted names in production.
trustedNames:
local: localhost
negativeTest: invalidhost
empty:
# trust store contains certifictes that server needs. Enable if tls is used.
loadTrustStore: true
# trust store location can be specified here or system properties javax.net.ssl.trustStore and password javax.net.ssl.trustStorePassword
trustStore: client.truststore
# trust store password
trustStorePass: password
# key store contains client key and it should be loaded if two-way ssl is uesed.
loadKeyStore: false
# key store location
keyStore: client.keystore
# key store password
keyStorePass: password
# private key password
keyPass: password
# settings for OAuth2 server communication
oauth:
# OAuth 2.0 token endpoint configuration
Expand All @@ -36,8 +50,10 @@ oauth:
authorization_code:
# token endpoint for authorization code grant
uri: "/oauth2/token"
# client_id for authorization code grant flow. client_secret is in secret.yml
# client_id for authorization code grant flow.
client_id: f7d42348-c647-4efb-a52d-4c5787421e72
# client_secret for authorization code grant flow.
client_secret: f6h1FTI8Q3-7UScPZDzfXA
# the web server uri that will receive the redirected authorization code
redirect_uri: https://localhost:8080/authorization_code
# optional scope, default scope in the client registration will be used if not defined.
Expand All @@ -50,6 +66,8 @@ oauth:
uri: "/oauth2/token"
# client_id for client credentials grant flow. client_secret is in secret.yml
client_id: f7d42348-c647-4efb-a52d-4c5787421e72
# client_secret for client credentials grant flow.
client_secret: f6h1FTI8Q3-7UScPZDzfXA
# optional scope, default scope in the client registration will be used if not defined.
scope:
- petstore.r
Expand All @@ -59,15 +77,17 @@ oauth:
uri: "/oauth2/token"
# client_id for refresh token grant flow. client_secret is in secret.yml
client_id: f7d42348-c647-4efb-a52d-4c5787421e72
# client_secret for refresh token
client_secret: f6h1FTI8Q3-7UScPZDzfXA
# optional scope, default scope in the client registration will be used if not defined.
scope:
- petstore.r
- petstore.w
# light-oauth2 key distribution endpoint configuration for token verification
key:
# key distribution server url
# key distribution server url for token verification. It will be used if it is configured.
server_url: https://localhost:6886
# the unique service id for key distribution service
# key serviceId for key distribution service, it will be used if above server_url is not configured.
serviceId: com.networknt.oauth2-key-1.0.0
# the path for the key distribution endpoint
uri: "/oauth2/key"
Expand All @@ -79,8 +99,10 @@ oauth:
enableHttp2: true
# sign endpoint configuration
sign:
# token server url. The default port number for token service is 6882.
# token server url. The default port number for token service is 6882. If this url exists, it will be used.
server_url: https://localhost:6882
# token serviceId. If server_url doesn't exist, the serviceId will be used to lookup the token service.
serviceId: com.networknt.oauth2-token-1.0.0
# signing endpoint for the sign request
uri: "/oauth2/token"
# timeout in milliseconds
Expand All @@ -93,9 +115,9 @@ oauth:
client_secret: f6h1FTI8Q3-7UScPZDzfXA
# the key distribution sever config for sign. It can be different then token key distribution server.
key:
# key distribution server url
# key distribution server url. It will be used to establish connection if it exists.
server_url: https://localhost:6886
# the unique service id for key distribution service
# the unique service id for key distribution service, it will be used to lookup key service if above url doesn't exist.
serviceId: com.networknt.oauth2-key-1.0.0
# the path for the key distribution endpoint
uri: "/oauth2/key"
Expand All @@ -107,21 +129,23 @@ oauth:
enableHttp2: true
# de-ref by reference token to JWT token. It is separate service as it might be the external OAuth 2.0 provider.
deref:
# Token service server url, this might be different than the above token server url.
# Token service server url, this might be different than the above token server url. The static url will be used if it is configured.
server_url: https://localhost:6882
# token service unique id for OAuth 2.0 provider. Need for service lookup/discovery.
# token service unique id for OAuth 2.0 provider. Need for service lookup/discovery. It will be used if above server_url is not configured.
serviceId: com.networknt.oauth2-token-1.0.0
# set to true if the oauth2 provider supports HTTP/2
enableHttp2: true
# the path for the key distribution endpoint
uri: "/oauth2/deref"
# client_id used to access key distribution service. It can be the same client_id with token service or not.
client_id: f7d42348-c647-4efb-a52d-4c5787421e72
# client_secret for deref
client_secret: f6h1FTI8Q3-7UScPZDzfXA
# circuit breaker configuration for the client
request:
# number of timeouts/errors to break the circuit
errorThreshold: 2
# timeout in millisecond to indicate a client error.
timeout: 3000
# reset the circuit after this timeout in millisecond
resetTimeout: 7000
resetTimeout: 7000
16 changes: 8 additions & 8 deletions client/src/main/resources/config/secret.yml
View file
Expand Up @@ -18,28 +18,28 @@ serverTruststorePass: password

# Client section

# Key store password, the path of keystore is defined in server.yml
# Client Key store password, please use client.yml to define it.
clientKeystorePass: password

# Key password, the key is in keystore
# Key password, the key is in keystore. Please use client.yml instead.
clientKeyPass: password

# Trust store password, the path of truststore is defined in server.yml
# Client Trust store password, please use client.yml to define it.
clientTruststorePass: password

# Authorization code client secret for OAuth2 server
# Authorization code client secret for OAuth2 server. Please use client.yml
authorizationCodeClientSecret: f6h1FTI8Q3-7UScPZDzfXA

# Client credentials client secret for OAuth2 server
# Client credentials client secret for OAuth2 server. Please use client.yml
clientCredentialsClientSecret: f6h1FTI8Q3-7UScPZDzfXA

# Fresh token client secret for OAuth2 server
# Fresh token client secret for OAuth2 server. Please use client.yml
refreshTokenClientSecret: f6h1FTI8Q3-7UScPZDzfXA

# Key distribution client secret for OAuth2 server
# Key distribution client secret for OAuth2 server. Please use client.yml
keyClientSecret: f6h1FTI8Q3-7UScPZDzfXA

# De-Reference access token to JWT token client secret.
# De-Reference access token to JWT token client secret. Please use client.yml
derefClientSecret: f6h1FTI8Q3-7UScPZDzfXA

# Consul service registry and discovery
Expand Down

0 comments on commit 9b0560c

Please sign in to comment.