Make new dashboard client credentials configurable on bootstrap

iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/validation/DashboardConfigValidator.java

@@ -0,0 +1,46 @@
+
+/**
+ * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package it.infn.mw.iam.api.client.management.validation;
+
+import javax.validation.ConstraintValidator;
+import javax.validation.ConstraintValidatorContext;
+
+import org.springframework.context.annotation.Scope;
+import org.springframework.stereotype.Component;
+
+import it.infn.mw.iam.config.IamProperties.DashboardProperties;
+
+@Component
+@Scope("prototype")
+public class DashboardConfigValidator implements ConstraintValidator<ValidDashboard, DashboardProperties> {
+
+  private static final String CLIENT_ID_REGEX = "^[a-zA-Z0-9\\-._~]{4,256}$";
+  private static final String CLIENT_SECRET_REGEX = "^[a-zA-Z0-9\\-._~]{32,72}$";
+
+  @Override
+  public boolean isValid(DashboardProperties dashboardProperties, ConstraintValidatorContext context) {
+    if (dashboardProperties == null || !dashboardProperties.isEnabled()) {
+      return true;
+    }
+    boolean validClientId = dashboardProperties.getClientId() != null
+        && dashboardProperties.getClientId().matches(CLIENT_ID_REGEX);
+    boolean validClientSecret = dashboardProperties.getClientSecret() != null
+        && dashboardProperties.getClientSecret().matches(CLIENT_SECRET_REGEX);
+
+    return validClientId && validClientSecret;
+  }
+}

iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/validation/ValidDashboard.java

@@ -0,0 +1,36 @@
+/**
+ * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package it.infn.mw.iam.api.client.management.validation;
+
+import static java.lang.annotation.ElementType.FIELD;
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+import javax.validation.Constraint;
+import javax.validation.Payload;
+
+@Retention(RUNTIME)
+@Target({FIELD})
+@Constraint(validatedBy = DashboardConfigValidator.class)
+public @interface ValidDashboard {
+  String message() default "Invalid dashboard client configuration";
+
+  Class <?>[] groups() default {};
+
+  Class<? extends Payload>[] payload() default {};
+}

iam-login-service/src/main/java/it/infn/mw/iam/api/client/service/DefaultClientDefaultsService.java

@@ -40,6 +40,7 @@ public class DefaultClientDefaultsService implements ClientDefaultsService {
       EnumSet.of(AuthMethod.SECRET_BASIC, AuthMethod.SECRET_POST, AuthMethod.SECRET_JWT);
 
   private static final int SECRET_SIZE = 512;
+  private static final int BCRYPT_MAX_SIZE = 72;
   private static final SecureRandom RNG = new SecureRandom();
 
   private final ClientRegistrationProperties properties;
@@ -95,9 +96,7 @@ public ClientDetailsEntity setupClientDefaults(ClientDetailsEntity client) {
 
   @Override
   public String generateClientSecret() {
-    return
-        Base64.encodeBase64URLSafeString(new BigInteger(SECRET_SIZE, RNG).toByteArray())
-          .replace("=", "");
+    return Base64.encodeBase64URLSafeString(new BigInteger(SECRET_SIZE, RNG).toByteArray()).substring(0, BCRYPT_MAX_SIZE);
   }
 
 }

iam-login-service/src/main/java/it/infn/mw/iam/config/IamProperties.java

@@ -21,17 +21,20 @@
 
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.stereotype.Component;
+import org.springframework.validation.annotation.Validated;
 
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.google.common.collect.Lists;
 import com.nimbusds.jose.JWEAlgorithm;
 import com.nimbusds.jose.JWSAlgorithm;
 
+import it.infn.mw.iam.api.client.management.validation.ValidDashboard;
 import it.infn.mw.iam.authn.ExternalAuthenticationRegistrationInfo.ExternalAuthenticationType;
 import it.infn.mw.iam.config.login.LoginButtonProperties;
 import it.infn.mw.iam.config.multi_factor_authentication.VerifyButtonProperties;
 
 @Component
+@Validated
 @ConfigurationProperties(prefix = "iam")
 public class IamProperties {
 
@@ -599,6 +602,38 @@ public void setTrackLastUsed(boolean trackLastUsed) {
     }
   }
 
+  @Validated
+  public static class DashboardProperties {
+
+    private boolean enabled = false;
+    private String clientId;
+    private String clientSecret;
+
+    public boolean isEnabled() {
+      return enabled;
+    }
+
+    public void setEnabled(boolean enabled) {
+      this.enabled = enabled;
+    }
+
+    public String getClientId() {
+      return clientId;
+    }
+
+    public void setClientId(String clientId) {
+      this.clientId = clientId;
+    }
+
+    public String getClientSecret() {
+      return clientSecret;
+    }
+
+    public void setClientSecret(String clientSecret) {
+      this.clientSecret = clientSecret;
+    }
+  }
+
   public static class DefaultGroup {
     private String name;
     private String enrollment = "INSERT";
@@ -727,6 +762,9 @@ public void setUrnSubnamespaces(String urnSubnamespaces) {
 
   private AarcProfile aarcProfile = new AarcProfile();
 
+  @ValidDashboard
+  private DashboardProperties dashboard = new DashboardProperties();
+
   public String getBaseUrl() {
     return baseUrl;
   }
@@ -969,6 +1007,18 @@ public ClientProperties getClient() {
     return client;
   }
 
+  public DashboardProperties getDashboard() {
+    return dashboard;
+  }
+
+  public void setDashboard(DashboardProperties dashboard) {
+    this.dashboard = dashboard;
+  }
+
+  public Boolean isDashboardPropertiesEnable() {
+    return dashboard != null;
+  }
+
   public AarcProfile getAarcProfile() {
     return aarcProfile;
   }

iam-login-service/src/main/java/it/infn/mw/iam/core/util/StartupRunner.java

@@ -0,0 +1,52 @@
+/**
+ * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package it.infn.mw.iam.core.util;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.boot.ApplicationArguments;
+import org.springframework.boot.ApplicationRunner;
+import org.springframework.stereotype.Component;
+
+import it.infn.mw.iam.dashboard.DashboardConfigService;
+
+@Component
+public class StartupRunner implements ApplicationRunner {
+
+  private static final Logger LOG = LoggerFactory.getLogger(StartupRunner.class);
+
+  private final DashboardConfigService dashboardConfigService;
+
+  public StartupRunner(DashboardConfigService dashboardConfigService) {
+    this.dashboardConfigService = dashboardConfigService;
+  }
+
+  @Override
+  public void run(ApplicationArguments args) {
+    if (!dashboardConfigService.isEnabled()) {
+      LOG.info(
+          "Dashboard client is disabled, skipping checks for the dashboard client properties and the presence of the record for the dashboard client");
+      return;
+    }
+
+    boolean isValid = dashboardConfigService.init();
+    if (!isValid) {
+      throw new IllegalStateException(
+          "Dashboard client record does not exist or is not valid. Please check the dashboard client properties and ensure that a record with the specified client id, client secret and redirect uri exists in the database");
+    }
+  }
+}