Refactor to not store string version of secret key longer than necessary

Author: ibacher

omod/src/main/java/org/openmrs/module/smartonfhir/util/SmartSecretKeyHolder.java

@@ -0,0 +1,73 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at http://mozilla.org/MPL/2.0/. OpenMRS is also distributed under
+ * the terms of the Healthcare Disclaimer located at http://openmrs.org/license.
+ *
+ * Copyright (C) OpenMRS Inc. OpenMRS is a registered trademark and the OpenMRS
+ * graphic logo is a trademark of OpenMRS Inc.
+ */
+package org.openmrs.module.smartonfhir.util;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.InputStream;
+import java.util.Base64;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import lombok.SneakyThrows;
+import lombok.extern.slf4j.Slf4j;
+import org.openmrs.module.smartonfhir.web.SmartSecretKey;
+import org.openmrs.util.OpenmrsUtil;
+import org.springframework.core.io.Resource;
+import org.springframework.core.io.support.PathMatchingResourcePatternResolver;
+
+@Slf4j
+public class SmartSecretKeyHolder {
+	
+	private static final ObjectMapper objectMapper = new ObjectMapper();
+	
+	private static volatile byte[] secretKey = null;
+	
+	public static byte[] getSecretKey() {
+		if (secretKey == null) {
+			synchronized (SmartSecretKeyHolder.class) {
+				if (secretKey == null) {
+					loadSecretKey();
+				}
+			}
+		}
+		
+		return secretKey;
+	}
+	
+	@SneakyThrows
+	private static void loadSecretKey() {
+		final Base64.Decoder decoder = Base64.getDecoder();
+		final PathMatchingResourcePatternResolver resolver = new PathMatchingResourcePatternResolver();
+		
+		Resource resource = resolver
+		        .getResource(OpenmrsUtil.getDirectoryInApplicationDataDirectory("config").getAbsolutePath() + File.separator
+		                + "smart-secret-key.json");
+		
+		if (resource != null && resource.isReadable()) {
+			try (InputStream secretKeyStream = resource.getInputStream()) {
+				secretKey = decoder
+				        .decode(objectMapper.readValue(secretKeyStream, SmartSecretKey.class).getSmartSharedSecretKey());
+				return;
+			}
+			catch (FileNotFoundException e) {
+				log.error("Could not load file [{}]", resource.getFilename(), e);
+			}
+		}
+		
+		resource = resolver.getResource("classpath:smart-secret-key.json");
+		
+		if (resource != null && resource.isReadable()) {
+			try (InputStream secretKeyStream = resource.getInputStream()) {
+				secretKey = decoder
+				        .decode(objectMapper.readValue(secretKeyStream, SmartSecretKey.class).getSmartSharedSecretKey());
+			}
+		}
+	}
+}

omod/src/main/java/org/openmrs/module/smartonfhir/web/filter/AuthenticationByPassFilter.java

@@ -19,31 +19,24 @@
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
-import java.io.File;
 import java.io.IOException;
-import java.io.InputStream;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 
-import com.fasterxml.jackson.databind.ObjectMapper;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang.StringUtils;
-import org.keycloak.common.util.Base64;
 import org.keycloak.jose.jws.JWSInput;
 import org.keycloak.jose.jws.JWSInputException;
 import org.keycloak.jose.jws.crypto.HMACProvider;
 import org.keycloak.representations.JsonWebToken;
 import org.openmrs.api.context.Context;
 import org.openmrs.api.context.ContextAuthenticationException;
-import org.openmrs.module.smartonfhir.web.SmartSecretKey;
+import org.openmrs.module.smartonfhir.util.SmartSecretKeyHolder;
 import org.openmrs.module.smartonfhir.web.smart.SmartTokenCredentials;
-import org.openmrs.util.OpenmrsUtil;
-import org.springframework.core.io.Resource;
-import org.springframework.core.io.support.PathMatchingResourcePatternResolver;
 
 @Slf4j
 public class AuthenticationByPassFilter implements Filter {
@@ -54,10 +47,6 @@ public class AuthenticationByPassFilter implements Filter {
 
 	private static final Pattern KEY_PARAM = Pattern.compile("^key=([^&]*)(?:&|$)");
 
-	private static final ObjectMapper objectMapper = new ObjectMapper();
-	
-	private SmartSecretKey smartSecretKey;
-	
 	private List<String> validUrls = new ArrayList<>(0);
 
 	@Override
@@ -154,7 +143,7 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
 						final String username;
 						try {
 							JWSInput jwsInput = new JWSInput(userToken);
-							if (!HMACProvider.verify(jwsInput, Base64.decode(getSecretKey()))) {
+							if (!HMACProvider.verify(jwsInput, SmartSecretKeyHolder.getSecretKey())) {
 								log.error("Error validating user token");
 								response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Not authenticated");
 								return;
@@ -187,22 +176,6 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
 		filterChain.doFilter(request, response);
 	}
 
-	private String getSecretKey() throws IOException {
-		final PathMatchingResourcePatternResolver resolver = new PathMatchingResourcePatternResolver();
-		Resource resource = resolver.getResource(
-		    OpenmrsUtil.getDirectoryInApplicationDataDirectory("config") + File.separator + "smart-secret-key.json");
-		if (resource != null) {
-			resource = resolver.getResource("classpath:smart-secret-key.json");
-			
-			InputStream secretKeyStream = resource.getInputStream();
-			
-			smartSecretKey = new SmartSecretKey();
-			smartSecretKey = objectMapper.readValue(secretKeyStream, SmartSecretKey.class);
-		}
-		
-		return smartSecretKey.getSmartSharedSecretKey();
-	}
-	
 	@Override
 	public void destroy() {
 	}

omod/src/main/java/org/openmrs/module/smartonfhir/web/servlet/SmartConfigServlet.java

@@ -15,16 +15,19 @@
 import javax.servlet.http.HttpServletResponse;
 
 import java.io.File;
+import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
+import lombok.extern.slf4j.Slf4j;
 import org.openmrs.module.smartonfhir.web.KeycloakConfig;
 import org.openmrs.module.smartonfhir.web.SmartConformance;
 import org.openmrs.util.OpenmrsUtil;
 import org.springframework.core.io.Resource;
 import org.springframework.core.io.support.PathMatchingResourcePatternResolver;
 
+@Slf4j
 public class SmartConfigServlet extends HttpServlet {
 
 	private static final ObjectMapper objectMapper = new ObjectMapper();
@@ -60,19 +63,31 @@ public void doGet(HttpServletRequest req, HttpServletResponse res) throws IOExce
 		res.setContentType("application/json");
 		res.setCharacterEncoding("UTF-8");
 		res.setStatus(200);
-		objectMapper.writerWithType(SmartConformance.class).writeValue(res.getWriter(), smartConformance);
+		objectMapper.writerFor(SmartConformance.class).writeValue(res.getWriter(), smartConformance);
 	}
 
 	private KeycloakConfig getKeycloakConfig() throws IOException {
 		final PathMatchingResourcePatternResolver resolver = new PathMatchingResourcePatternResolver();
-		Resource resource = resolver.getResource(
-		    OpenmrsUtil.getDirectoryInApplicationDataDirectory("config") + File.separator + "smart-keycloak.json");
-		if (resource != null) {
-			resource = resolver.getResource("classpath:smart-keycloak.json");
-			InputStream secretKeyStream = resource.getInputStream();
-			
-			keycloakConfig = new KeycloakConfig();
-			keycloakConfig = objectMapper.readValue(secretKeyStream, KeycloakConfig.class);
+		Resource resource = resolver
+		        .getResource(OpenmrsUtil.getDirectoryInApplicationDataDirectory("config").getAbsolutePath() + File.separator
+		                + "smart-keycloak.json");
+		
+		if (resource != null && resource.isReadable()) {
+			try (InputStream keycloakConfigStream = resource.getInputStream()) {
+				keycloakConfig = objectMapper.readValue(keycloakConfigStream, KeycloakConfig.class);
+				return keycloakConfig;
+			}
+			catch (FileNotFoundException e) {
+				log.error("Could not load file [{}]", resource.getFilename(), e);
+			}
+		}
+		
+		resource = resolver.getResource("classpath:smart-keycloak.json");
+		
+		if (resource != null && resource.isReadable()) {
+			try (InputStream keycloakConfigStream = resource.getInputStream()) {
+				keycloakConfig = objectMapper.readValue(keycloakConfigStream, KeycloakConfig.class);
+			}
 		}
 
 		return keycloakConfig;

omod/src/main/java/org/openmrs/module/smartonfhir/web/servlet/SmartPatientSelected.java

@@ -14,33 +14,22 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import java.io.File;
 import java.io.IOException;
-import java.io.InputStream;
 import java.net.URLDecoder;
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
-import java.util.Base64;
 
-import com.fasterxml.jackson.databind.ObjectMapper;
 import org.keycloak.crypto.Algorithm;
 import org.keycloak.crypto.JavaAlgorithm;
 import org.keycloak.crypto.KeyWrapper;
 import org.keycloak.crypto.MacSignatureSignerContext;
 import org.keycloak.crypto.SignatureSignerContext;
 import org.keycloak.jose.jws.JWSBuilder;
 import org.keycloak.representations.JsonWebToken;
-import org.openmrs.module.smartonfhir.web.SmartSecretKey;
-import org.openmrs.util.OpenmrsUtil;
-import org.springframework.core.io.Resource;
-import org.springframework.core.io.support.PathMatchingResourcePatternResolver;
+import org.openmrs.module.smartonfhir.util.SmartSecretKeyHolder;
 
 public class SmartPatientSelected extends HttpServlet {
 
-	private static final ObjectMapper objectMapper = new ObjectMapper();
-	
-	private SmartSecretKey smartSecretKey;
-	
 	public void doGet(HttpServletRequest req, HttpServletResponse res) throws IOException {
 		String token = req.getParameter("token");
 		String patientId = req.getParameter("patientId");
@@ -52,7 +41,7 @@ public void doGet(HttpServletRequest req, HttpServletResponse res) throws IOExce
 		JsonWebToken tokenSentBack = new JsonWebToken();
 		tokenSentBack.setOtherClaims("patient", patientId);
 
-		SecretKeySpec hmacSecretKeySpec = new SecretKeySpec(Base64.getDecoder().decode(getSecretKey()), JavaAlgorithm.HS256);
+		SecretKeySpec hmacSecretKeySpec = new SecretKeySpec(SmartSecretKeyHolder.getSecretKey(), JavaAlgorithm.HS256);
 		KeyWrapper keyWrapper = new KeyWrapper();
 		keyWrapper.setAlgorithm(Algorithm.HS256);
 		keyWrapper.setSecretKey(hmacSecretKeySpec);
@@ -64,20 +53,4 @@ public void doGet(HttpServletRequest req, HttpServletResponse res) throws IOExce
 		String decodedUrl = URLDecoder.decode(token, StandardCharsets.UTF_8.name());
 		res.sendRedirect(decodedUrl.replace("{APP_TOKEN}", encodedToken));
 	}
-	
-	private String getSecretKey() throws IOException {
-		final PathMatchingResourcePatternResolver resolver = new PathMatchingResourcePatternResolver();
-		Resource resource = resolver.getResource(
-		    OpenmrsUtil.getDirectoryInApplicationDataDirectory("config") + File.separator + "smart-secret-key.json");
-		if (resource != null) {
-			resource = resolver.getResource("classpath:smart-secret-key.json");
-			
-			InputStream secretKeyStream = resource.getInputStream();
-			
-			smartSecretKey = new SmartSecretKey();
-			smartSecretKey = objectMapper.readValue(secretKeyStream, SmartSecretKey.class);
-		}
-		
-		return smartSecretKey.getSmartSharedSecretKey();
-	}
 }