Merge pull request #941 from exadel-inc/EFRS-1286_the_ability_to_delete_expired_access_and_refresh_tokens

EFRS-1286: Added the ability to delete expired access and refresh tokens

Author: VolodymyrBushko

java/admin/src/main/java/com/exadel/frs/system/security/CustomJdbcTokenStore.java

@@ -0,0 +1,90 @@
+package com.exadel.frs.system.security;
+
+import static java.time.ZoneOffset.UTC;
+import java.sql.Types;
+import java.time.LocalDateTime;
+import javax.sql.DataSource;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.jdbc.core.JdbcTemplate;
+import org.springframework.jdbc.core.support.SqlLobValue;
+import org.springframework.scheduling.annotation.Scheduled;
+import org.springframework.security.oauth2.common.DefaultExpiringOAuth2RefreshToken;
+import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.OAuth2RefreshToken;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.token.AuthenticationKeyGenerator;
+import org.springframework.security.oauth2.provider.token.store.JdbcTokenStore;
+import org.springframework.stereotype.Component;
+import org.springframework.transaction.annotation.Transactional;
+
+@Slf4j
+@Component
+public class CustomJdbcTokenStore extends JdbcTokenStore {
+
+    private static final String INSERT_ACCESS_TOKEN_WITH_EXPIRATION_SQL = "insert into oauth_access_token (token_id, token, authentication_id, user_name, client_id, authentication, refresh_token, expiration) values (?, ?, ?, ?, ?, ?, ?,?)";
+    private static final String INSERT_REFRESH_TOKEN_WITH_EXPIRATION_SQL = "insert into oauth_refresh_token (token_id, token, authentication, expiration) values (?, ?, ?, ?)";
+    private static final String REMOVE_EXPIRED_ACCESS_TOKENS_SQL = "delete from oauth_access_token where expiration < ?";
+    private static final String REMOVE_EXPIRED_REFRESH_TOKENS_SQL = "delete from oauth_refresh_token where expiration < ?";
+
+    private final JdbcTemplate jdbcTemplate;
+    private final AuthenticationKeyGenerator authenticationKeyGenerator;
+
+    public CustomJdbcTokenStore(DataSource dataSource) {
+        super(dataSource);
+        this.jdbcTemplate = new JdbcTemplate(dataSource);
+        this.authenticationKeyGenerator = new AuthenticationKeyGeneratorImpl();
+        this.setAuthenticationKeyGenerator(this.authenticationKeyGenerator);
+    }
+
+    @Override
+    public void storeAccessToken(OAuth2AccessToken token, OAuth2Authentication authentication) {
+        String refreshToken = null;
+        if (token.getRefreshToken() != null) {
+            refreshToken = token.getRefreshToken().getValue();
+        }
+
+        if (readAccessToken(token.getValue()) != null) {
+            removeAccessToken(token.getValue());
+        }
+
+        jdbcTemplate.update(INSERT_ACCESS_TOKEN_WITH_EXPIRATION_SQL, new Object[]{extractTokenKey(token.getValue()),
+                        new SqlLobValue(serializeAccessToken(token)), this.authenticationKeyGenerator.extractKey(authentication),
+                        authentication.isClientOnly() ? null : authentication.getName(),
+                        authentication.getOAuth2Request().getClientId(),
+                        new SqlLobValue(serializeAuthentication(authentication)), extractTokenKey(refreshToken),
+                        token.getExpiration().toInstant().atOffset(UTC).toLocalDateTime()},
+                new int[]{Types.VARCHAR, Types.BLOB, Types.VARCHAR, Types.VARCHAR, Types.VARCHAR, Types.BLOB, Types.VARCHAR, Types.TIMESTAMP}
+        );
+    }
+
+    @Override
+    public void storeRefreshToken(OAuth2RefreshToken refreshToken, OAuth2Authentication authentication) {
+        DefaultExpiringOAuth2RefreshToken oAuth2RefreshToken = (DefaultExpiringOAuth2RefreshToken) refreshToken;
+        jdbcTemplate.update(INSERT_REFRESH_TOKEN_WITH_EXPIRATION_SQL, new Object[]{
+                        extractTokenKey(refreshToken.getValue()),
+                        new SqlLobValue(serializeRefreshToken(refreshToken)),
+                        new SqlLobValue(serializeAuthentication(authentication)),
+                        oAuth2RefreshToken.getExpiration().toInstant().atOffset(UTC).toLocalDateTime()},
+                new int[]{Types.VARCHAR, Types.BLOB, Types.BLOB, Types.TIMESTAMP}
+        );
+    }
+
+    @Transactional
+    @Scheduled(cron = "@weekly", zone = "UTC")
+    public void removeExpiredTokens() {
+        LocalDateTime now = LocalDateTime.now(UTC);
+        int accessTokenCount = this.jdbcTemplate.update(
+                REMOVE_EXPIRED_ACCESS_TOKENS_SQL,
+                now
+        );
+        int refreshTokenCount = this.jdbcTemplate.update(
+                REMOVE_EXPIRED_REFRESH_TOKENS_SQL,
+                now
+        );
+        log.info(
+                "Removed {} expired access tokens and {} expired update tokens",
+                accessTokenCount,
+                refreshTokenCount
+        );
+    }
+}

java/admin/src/main/java/com/exadel/frs/system/security/config/AuthServerConfig.java

@@ -19,6 +19,7 @@
 import static com.exadel.frs.system.global.Constants.ADMIN;
 import static java.util.stream.Collectors.toList;
 import com.exadel.frs.system.security.AuthenticationKeyGeneratorImpl;
+import com.exadel.frs.system.security.CustomJdbcTokenStore;
 import com.exadel.frs.system.security.CustomOAuth2Exception;
 import com.exadel.frs.system.security.CustomUserDetailsService;
 import com.exadel.frs.system.security.TokenServicesImpl;
@@ -56,16 +57,9 @@ public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {
     private final AuthenticationManager authenticationManager;
     private final ClientService clientService;
     private final CustomUserDetailsService userDetailsService;
-    private final DataSource dataSource;
     private final PasswordEncoder passwordEncoder;
     private final OAuthClientProperties authClientProperties;
-
-    @Bean
-    public JdbcTokenStore tokenStore() {
-        JdbcTokenStore tokenStore = new JdbcTokenStore(dataSource);
-        tokenStore.setAuthenticationKeyGenerator(new AuthenticationKeyGeneratorImpl());
-        return tokenStore;
-    }
+    private final JdbcTokenStore tokenStore;
 
     @Bean
     @Primary
@@ -82,7 +76,7 @@ public TokenEndpoint tokenEndpoint(AuthorizationServerEndpointsConfiguration con
 
     @Bean
     public DefaultTokenServices tokenServices() {
-        TokenServicesImpl tokenServices = new TokenServicesImpl(tokenStore());
+        TokenServicesImpl tokenServices = new TokenServicesImpl(tokenStore);
         tokenServices.setClientDetailsService(clientService);
         return tokenServices;
     }
@@ -118,7 +112,7 @@ public void configure(final ClientDetailsServiceConfigurer clients) throws Excep
     @Override
     public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
         endpoints
-                .tokenStore(tokenStore())
+                .tokenStore(tokenStore)
                 .tokenServices(tokenServices())
                 .authenticationManager(authenticationManager)
                 .userDetailsService(userDetailsService)
@@ -135,4 +129,4 @@ public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
             }
         });
     }
-}
+}

java/admin/src/main/resources/application.yml

@@ -55,6 +55,13 @@ spring:
     database: postgresql
     open-in-view: true
     generate-ddl: false
+  liquibase:
+    parameters:
+      common-client:
+        client-id: ${app.security.oauth2.clients.COMMON.client-id}
+        access-token-validity: ${app.security.oauth2.clients.COMMON.access-token-validity}
+        refresh-token-validity: ${app.security.oauth2.clients.COMMON.refresh-token-validity}
+        authorized-grant-types: ${app.security.oauth2.clients.COMMON.authorized-grant-types}
   mail:
     enable: ${ENABLE_EMAIL_SERVER:false}
     host: ${EMAIL_HOST:example.com}

java/admin/src/main/resources/db/changelog/db.changelog-0.2.5.yaml

@@ -0,0 +1,33 @@
+databaseChangeLog:
+  - changeSet:
+      id: expand-oauth_access_token-and-oauth_refresh_token-with-expiration-column
+      author: Volodymyr Bushko
+      changes:
+        # add an expiration column to the oauth_access_token & oauth_refresh_token tables
+        - addColumn:
+            tableName: oauth_access_token
+            columns:
+              - column:
+                  name: expiration
+                  type: timestamp
+        - addColumn:
+            tableName: oauth_refresh_token
+            columns:
+              - column:
+                  name: expiration
+                  type: timestamp
+        # set the expiration columns in order to avoid conflicts
+        - customChange: {
+          "class": "com.exadel.frs.commonservice.system.liquibase.customchange.SetOAuthTokenExpirationCustomChange",
+          "clientId": "${common-client.client-id}",
+          "accessTokenValidity": "${common-client.access-token-validity}",
+          "refreshTokenValidity": "${common-client.refresh-token-validity}",
+          "authorizedGrantTypes": "${common-client.authorized-grant-types}"
+        }
+        # add a not-null constraint to the expiration columns
+        - addNotNullConstraint:
+            tableName: oauth_access_token
+            columnName: expiration
+        - addNotNullConstraint:
+            tableName: oauth_refresh_token
+            columnName: expiration

java/admin/src/main/resources/db/changelog/db.changelog-master.yaml

@@ -47,3 +47,5 @@ databaseChangeLog:
       file: db/changelog/db.changelog-0.2.3.yaml
   - include:
       file: db/changelog/db.changelog-0.2.4.yaml
+  - include:
+      file: db/changelog/db.changelog-0.2.5.yaml

java/admin/src/test/resources/application.yml

@@ -48,6 +48,13 @@ spring:
     database: postgresql
     open-in-view: true
     generate-ddl: false
+  liquibase:
+    parameters:
+      common-client:
+        client-id: ${app.security.oauth2.clients.COMMON.client-id}
+        access-token-validity: ${app.security.oauth2.clients.COMMON.access-token-validity}
+        refresh-token-validity: ${app.security.oauth2.clients.COMMON.refresh-token-validity}
+        authorized-grant-types: ${app.security.oauth2.clients.COMMON.authorized-grant-types}
   mail:
     from: [email protected]
     username: [email protected]

java/api/src/test/java/com/exadel/frs/core/trainservice/EmbeddedPostgreSQLTest.java

@@ -2,6 +2,8 @@
 
 import com.exadel.frs.core.trainservice.config.IntegrationTest;
 import io.zonky.test.db.AutoConfigureEmbeddedDatabase;
+import javax.annotation.PostConstruct;
+import javax.sql.DataSource;
 import liquibase.Contexts;
 import liquibase.LabelExpression;
 import liquibase.Liquibase;
@@ -10,12 +12,10 @@
 import liquibase.integration.spring.SpringResourceAccessor;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.core.env.Environment;
 import org.springframework.core.io.ResourceLoader;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 
-import javax.annotation.PostConstruct;
-import javax.sql.DataSource;
-
 @IntegrationTest
 @ExtendWith(SpringExtension.class)
 @AutoConfigureEmbeddedDatabase(beanName = "dsPg")
@@ -27,6 +27,9 @@ public class EmbeddedPostgreSQLTest {
     @Autowired
     ResourceLoader resourceLoader;
 
+    @Autowired
+    private Environment env;
+
     @PostConstruct
     public void initDatabase() {
         try {
@@ -35,10 +38,23 @@ public void initDatabase() {
                     new SpringResourceAccessor(resourceLoader),
                     DatabaseFactory.getInstance().findCorrectDatabaseImplementation(new JdbcConnection(dataSource.getConnection()))
             );
+            setLiquibaseChangeLogParams(liquibase);
             liquibase.update(new Contexts(), new LabelExpression());
         } catch (Exception e) {
             //manage exception
             e.printStackTrace();
         }
     }
+
+    private void setLiquibaseChangeLogParams(final Liquibase liquibase) {
+        String clientId = env.getProperty("spring.liquibase.parameters.common-client.client-id", "CommonClientId");
+        String accessTokenValidity = env.getProperty("spring.liquibase.parameters.common-client.access-token-validity", "2400");
+        String refreshTokenValidity = env.getProperty("spring.liquibase.parameters.common-client.refresh-token-validity", "1209600");
+        String authorizedGrantTypes = env.getProperty("spring.liquibase.parameters.common-client.authorized-grant-types", "password,refresh_token");
+
+        liquibase.setChangeLogParameter("common-client.client-id", clientId);
+        liquibase.setChangeLogParameter("common-client.access-token-validity", accessTokenValidity);
+        liquibase.setChangeLogParameter("common-client.refresh-token-validity", refreshTokenValidity);
+        liquibase.setChangeLogParameter("common-client.authorized-grant-types", authorizedGrantTypes);
+    }
 }

java/api/src/test/resources/application.yml

@@ -5,6 +5,12 @@ spring:
     enabled: false
   liquibase:
     enabled: false
+    parameters:
+      common-client:
+        client-id: CommonClientId
+        access-token-validity: 2400
+        refresh-token-validity: 1209600
+        authorized-grant-types: password,refresh_token
   datasource-pg:
     driver-class-name: org.postgresql.Driver
     url: ${POSTGRES_URL:jdbc:postgresql://localhost:5432/frs_test}
@@ -62,4 +68,4 @@ logging:
   level:
     org.hibernate.SQL: DEBUG
     org.hibernate.type.descriptor.sql.BasicBinder: TRACE
-    org.hibernate.type: TRACE
+    org.hibernate.type: TRACE

java/api/src/test/resources/db/changelog/db.changelog-0.2.5.yaml

@@ -0,0 +1,33 @@
+databaseChangeLog:
+  - changeSet:
+      id: expand-oauth_access_token-and-oauth_refresh_token-with-expiration-column
+      author: Volodymyr Bushko
+      changes:
+        # add an expiration column to the oauth_access_token & oauth_refresh_token tables
+        - addColumn:
+            tableName: oauth_access_token
+            columns:
+              - column:
+                  name: expiration
+                  type: timestamp
+        - addColumn:
+            tableName: oauth_refresh_token
+            columns:
+              - column:
+                  name: expiration
+                  type: timestamp
+        # set the expiration columns in order to avoid conflicts
+        - customChange: {
+          "class": "com.exadel.frs.commonservice.system.liquibase.customchange.SetOAuthTokenExpirationCustomChange",
+          "clientId": "${common-client.client-id}",
+          "accessTokenValidity": "${common-client.access-token-validity}",
+          "refreshTokenValidity": "${common-client.refresh-token-validity}",
+          "authorizedGrantTypes": "${common-client.authorized-grant-types}"
+        }
+        # add a not-null constraint to the expiration columns
+        - addNotNullConstraint:
+            tableName: oauth_access_token
+            columnName: expiration
+        - addNotNullConstraint:
+            tableName: oauth_refresh_token
+            columnName: expiration

java/api/src/test/resources/db/changelog/db.changelog-master.yaml

@@ -47,3 +47,5 @@ databaseChangeLog:
       file: db/changelog/db.changelog-0.2.3.yaml
   - include:
       file: db/changelog/db.changelog-0.2.4.yaml
+  - include:
+      file: db/changelog/db.changelog-0.2.5.yaml