Feature/shar 285 OIDC pkce (#280)

* WIP, need to request use of dispatcher vs enqueue in test.

* Initial implementation of a more 'pure' OpenID Connection token provider.

* remove identityc substitution.

* Correct missing semicolons.

* Update jacoco version.

* Allow caller to determine auth callback methods.

* Autogenerated JaCoCo coverage badge

* Correct code generation and apply timeout to login sequence.

* CwbiAUthTokenProviderBase now extends OidcAuthTokenProvider.

Removed previous DiscoveryProvider as all configuration discovery is now
handled within OidcAuthTokenProvider.

* Override URL and SSL data for DirectGrant only.

* Correct tests for new behavior.

* Autogenerated JaCoCo coverage badge

* PR review updates.

---------

Co-authored-by: builduser <builduser@rmanet.com>

Author: MikeNeilson

.github/coveragereport/badge_branchcoverage.svg

@@ -8,3 +8,4 @@ build
 **/bin
 **/.idea/
 lib/
+.vscode

.github/coveragereport/badge_linecoverage.svg

@@ -32,7 +32,7 @@ subprojects {
     }
 
     jacoco {
-        toolVersion = "0.8.7"
+        toolVersion = "0.8.11"
     }
 
     jacocoTestReport {

.github/coveragereport/badge_methodcoverage.svg

@@ -22,6 +22,10 @@ configurations.implementation.extendsFrom(configurations.annotationProcessor)
 
 test {
     useJUnitPlatform()
+    // when passing --tests by default it needs to match all in all subjects
+    filter {
+            setFailOnNoMatchingTests(false)
+    }
 }
 
 javadoc {

.gitignore

@@ -0,0 +1,191 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2024 Hydrologic Engineering Center
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+package hec.army.usace.hec.cwbi.auth.http.client;
+
+import mil.army.usace.hec.cwms.http.client.HttpRequestBuilderImpl;
+import mil.army.usace.hec.cwms.http.client.HttpRequestResponse;
+import mil.army.usace.hec.cwms.http.client.auth.OAuth2Token;
+import mil.army.usace.hec.cwms.http.client.request.HttpRequestExecutor;
+import mil.army.usace.hec.cwms.http.client.request.QueryParameters;
+
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.net.URI;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.util.Base64;
+import java.util.UUID;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+import java.util.logging.Logger;
+
+import com.sun.net.httpserver.HttpExchange;
+import com.sun.net.httpserver.HttpHandler;
+import com.sun.net.httpserver.HttpServer;
+
+/**
+ * Use Authorization Code + PKCE method to retrieve initial token set.
+ *
+ * If a desktop is available users's default Browser is opened with the given auth URL
+ * To complete the additional requirements.
+ */
+public final class AuthCodePkceTokenRequestBuilder extends TokenRequestBuilder<AuthCodePkceTokenRequestBuilder> {
+    private static final Logger LOGGER = Logger.getLogger(AuthCodePkceTokenRequestBuilder.class.getName());
+    @Override
+    OAuth2Token retrieveToken() throws IOException {
+
+        OAuth2Token retVal = null;
+        HttpServer server = null;
+        // https://datatracker.ietf.org/doc/html/rfc7636#section-4.1
+        try {
+            byte[] verifierBytes = new byte[128];
+            SecureRandom.getInstanceStrong().nextBytes(verifierBytes);
+            Base64.Encoder b64encoder = Base64.getUrlEncoder().withoutPadding();
+            final String verifier = b64encoder.encodeToString(verifierBytes);
+            final String originalState = UUID.randomUUID().toString();
+
+            MessageDigest md = MessageDigest.getInstance("SHA-256");
+            final String challenge = b64encoder.encodeToString(md.digest(verifier.getBytes(StandardCharsets.US_ASCII)));
+            server = HttpServer.create(new InetSocketAddress("localhost", 0), 0);
+            int port = server.getAddress().getPort();
+            String host = server.getAddress().getHostName();
+
+            final CompletableFuture<Result> future = new CompletableFuture<>();
+
+            server.createContext("/", new HttpHandler() {
+
+                @Override
+                public void handle(HttpExchange exchange) throws IOException {
+                    Result ret = null;
+
+                    final String query = exchange.getRequestURI().getQuery();
+                    LOGGER.fine("Got auth server response." + query);
+                    final QueryParameters parameters = QueryParameters.parse(query);
+                    if (!parameters.get("error").isEmpty()) {
+                        String error = parameters.get("error").get(0);
+                        String errorDescription = parameters.get("error_description").get(0);
+                        ret = Result.failure(error, errorDescription);
+                    } else {
+                        String code = parameters.get("code").get(0);
+                        String state = parameters.get("state").get(0);
+                        String session_state = parameters.get("session_state").get(0);
+                        ret = Result.success(code ,state, session_state);
+                    }
+                    LOGGER.fine("Returning result back to thread.");
+                    exchange.sendResponseHeaders(204, 0);
+
+                    future.complete(ret);
+                }
+
+            });
+            final String redirectUri = String.format("http://%s:%d", host, port);
+            final QueryParameters authParameters = QueryParameters.empty()
+                .set("grant_type", "code")
+                .set("client_id", getClientId())
+                .set("scope", "openid profile")
+                .set("response_type", "code")
+                .set("code_challenge_method", "S256")
+                .set("code_challenge", challenge)
+                .set("redirect_uri", redirectUri)
+                .set("state", originalState);
+            String urlStr= String.format("%s?%s", getAuthUrl().getApiRoot(), authParameters.encode());
+            // start server to listen
+            server.start();
+            LOGGER.info("Handling Auth Request");
+            LOGGER.finer("Auth Request URL: " + urlStr);
+            this.authCallBack.accept(URI.create(urlStr));
+
+            Result result = future.get(3, TimeUnit.MINUTES); // The user is now required to perform manual operations.
+            LOGGER.info("Retrieving Token.");
+            if (result.error != null) {
+                throw new IOException(String.format("Unable to login. %s : %s", result.error, result.errorDescription));
+            }
+            if (!result.state.equals(originalState)) {
+                throw new IOException("Unable to continue login sequence, incorrect state value returned.");
+            }
+            final UrlEncodedFormData formData = new UrlEncodedFormData();
+            formData.addClientId(getClientId())
+                    .addGrantType("authorization_code")
+                    .addParameter("code_verifier", verifier)
+                    .addScopes("openid", "profile")
+                    .addParameter("redirect_uri", redirectUri)
+                    .addParameter("state", result.state)
+                    .addParameter("session_state", result.session_state)
+                    .addParameter("code", result.code)
+                    .addParameter("response_mode", "fragment")
+                    .addParameter("response_type", "id_token token");
+
+            HttpRequestExecutor executor =
+                new HttpRequestBuilderImpl(getTokenUrl())
+                    .post()
+                    .withBody(formData.buildEncodedString())
+                    .withMediaType(MEDIA_TYPE);
+            try (HttpRequestResponse response = executor.execute()) {
+                String body = response.getBody();
+                if (body != null) {
+                    retVal = OAuth2ObjectMapper.mapJsonToObject(body, OAuth2Token.class);
+                }
+            }
+            return retVal;
+        } catch (NoSuchAlgorithmException ex) {
+            throw new IOException("Unable to retrieve SecureRandom or Message Digest instance to generate verifier", ex);
+        } catch (InterruptedException | ExecutionException | TimeoutException ex) {
+            throw new IOException("Unable to form login sequence.", ex);
+        }
+        finally {
+            if (server != null) {
+                server.stop(0);
+            }
+        }
+    }
+
+    private static class Result {
+        public final String code;
+        public final String state;
+        public final String session_state;
+
+        public final String error;
+        public final String errorDescription;
+
+        private Result(String code, String state, String session_state, String error, String errorDescription) {
+            this.code = code;
+            this.state = state;
+            this.session_state = session_state;
+            this.error = error;
+            this.errorDescription = errorDescription;
+        }
+
+        public static Result success(String code, String state, String session_state) {
+            return new Result(code, state, session_state, null, null);
+        }
+
+        public static Result failure(String error, String errorDescription) {
+            return new Result(null, null, null, error, errorDescription);
+        }
+    };
+}

build.gradle

@@ -24,35 +24,55 @@
 package hec.army.usace.hec.cwbi.auth.http.client;
 
 import hec.army.usace.hec.cwbi.auth.http.client.trustmanagers.CwbiAuthTrustManager;
+
+import java.io.IOException;
 import java.util.Objects;
+
 import javax.net.ssl.SSLSocketFactory;
 import mil.army.usace.hec.cwms.http.client.ApiConnectionInfo;
 import mil.army.usace.hec.cwms.http.client.ApiConnectionInfoBuilder;
 import mil.army.usace.hec.cwms.http.client.SslSocketData;
+import mil.army.usace.hec.cwms.http.client.auth.OAuth2Token;
 
+/**
+ * Suitable only for CWBI Keycloaks direct grant setup.
+ */
 public final class CwbiAuthTokenProvider extends CwbiAuthTokenProviderBase {
 
     private final SSLSocketFactory sslSocketFactory;
-    private final String url;
 
     /**
      * Provider for OAuth2Tokens.
      *
-     * @param tokenUrl - URL we are fetching token from
+     * @param wellKnownUrl - URL we are retrieving configuration from
      * @param clientId - client name
      * @param sslSocketFactory - ssl socket factory
      */
-    public CwbiAuthTokenProvider(String tokenUrl, String clientId, SSLSocketFactory sslSocketFactory) {
-        super(clientId);
+    public CwbiAuthTokenProvider(String wellKnownUrl, String clientId, SSLSocketFactory sslSocketFactory) {
+        super(clientId, wellKnownUrl);
         this.sslSocketFactory = Objects.requireNonNull(sslSocketFactory, "Missing required sslSocketFactory");
-        this.url = Objects.requireNonNull(tokenUrl, "Missing required tokenUrl");
     }
 
     @Override
     ApiConnectionInfo getUrl() {
-        return new ApiConnectionInfoBuilder(url)
+        return new ApiConnectionInfoBuilder(this.wellKnownUrl)
+                .withSslSocketData(new SslSocketData(sslSocketFactory, CwbiAuthTrustManager.getTrustManager()))
+                .build();
+    }
+
+    @Override
+    public ApiConnectionInfo getAuthUrl() {
+        // This is specific to CWBI Direct Grant so this replacement as-is is fine
+        return new ApiConnectionInfoBuilder(this.tokenUrl.getApiRoot().replace("identity", "identityc"))
                 .withSslSocketData(new SslSocketData(sslSocketFactory, CwbiAuthTrustManager.getTrustManager()))
                 .build();
     }
 
+    @Override
+    public OAuth2Token newToken() throws IOException {
+        return new DirectGrantX509TokenRequestBuilder()
+                .withTokenUrl(getAuthUrl())
+                .buildRequest().withClientId(clientId)
+                .fetchToken();
+    }
 }

buildSrc/src/main/groovy/cwms-data-api-client.java-conventions.gradle

@@ -24,50 +24,35 @@
 package hec.army.usace.hec.cwbi.auth.http.client;
 
 import java.io.IOException;
-import java.util.Objects;
+
 import mil.army.usace.hec.cwms.http.client.ApiConnectionInfo;
 import mil.army.usace.hec.cwms.http.client.auth.OAuth2Token;
-import mil.army.usace.hec.cwms.http.client.auth.OAuth2TokenProvider;
 
-abstract class CwbiAuthTokenProviderBase implements OAuth2TokenProvider {
-    protected OAuth2Token oauth2Token;
-    protected final String clientId;
+abstract class CwbiAuthTokenProviderBase extends OidcAuthTokenProvider {
 
-    protected CwbiAuthTokenProviderBase(String clientId) {
-        this.clientId = Objects.requireNonNull(clientId, "Missing required clientId");
+    protected CwbiAuthTokenProviderBase(String clientId, String wellKnownUrl) {
+        super(clientId, wellKnownUrl);
     }
 
     abstract ApiConnectionInfo getUrl() throws IOException;
 
-    @Override
-    public synchronized void clear() {
-        oauth2Token = null;
-    }
 
     @Override
     public synchronized OAuth2Token getToken() throws IOException {
-        if (oauth2Token == null) {
-            oauth2Token = newToken();
+        if (token == null) {
+            token = newToken();
         }
-        return oauth2Token;
-    }
-
-    @Override
-    public OAuth2Token newToken() throws IOException {
-        return new DirectGrantX509TokenRequestBuilder()
-                .withUrl(getUrl())
-                .withClientId(clientId)
-                .fetchToken();
+        return token;
     }
 
     @Override
     public synchronized OAuth2Token refreshToken() throws IOException {
-        OAuth2Token token = new RefreshTokenRequestBuilder()
-                .withRefreshToken(oauth2Token.getRefreshToken())
-                .withUrl(getUrl())
+        OAuth2Token newToken = new RefreshTokenRequestBuilder()
+                .withRefreshToken(token.getRefreshToken())
+                .withUrl(tokenUrl)
                 .withClientId(clientId)
                 .fetchToken();
-        oauth2Token = token;
+        token = newToken;
         return token;
     }
 

cwbi-auth-http-client/src/main/java/hec/army/usace/hec/cwbi/auth/http/client/AuthCodePkceTokenRequestBuilder.java

@@ -23,14 +23,15 @@
  */
 package hec.army.usace.hec.cwbi.auth.http.client;
 
+import mil.army.usace.hec.cwms.http.client.ApiConnectionInfo;
 import mil.army.usace.hec.cwms.http.client.HttpRequestBuilderImpl;
 import mil.army.usace.hec.cwms.http.client.HttpRequestResponse;
 import mil.army.usace.hec.cwms.http.client.auth.OAuth2Token;
 import mil.army.usace.hec.cwms.http.client.request.HttpRequestExecutor;
 
 import java.io.IOException;
 
-public final class DirectGrantX509TokenRequestBuilder extends TokenRequestBuilder {
+public final class DirectGrantX509TokenRequestBuilder extends TokenRequestBuilder<DirectGrantX509TokenRequestBuilder> {
 
     @Override
     OAuth2Token retrieveToken() throws IOException {
@@ -43,7 +44,7 @@ OAuth2Token retrieveToken() throws IOException {
                 .addUsername("")
                 .buildEncodedString();
         HttpRequestExecutor executor =
-                new HttpRequestBuilderImpl(getUrl())
+                new HttpRequestBuilderImpl(getTokenUrl())
                         .post()
                         .withBody(formBody)
                         .withMediaType(MEDIA_TYPE);