From 766b740011694c51143b5d50f829decd92b3cd3b Mon Sep 17 00:00:00 2001 From: Eduard Tihomirov Date: Tue, 25 Feb 2025 08:59:15 +0300 Subject: [PATCH 01/12] SUPPORT-8942: Fix --- .../ervu/security/esia/config/EsiaConfig.java | 7 ++ .../esia/controller/EsiaController.java | 11 ++-- .../esia/service/EsiaAuthService.java | 66 ++++++++++++++----- .../security/esia/token/EsiaTokensStore.java | 13 ++++ .../webbpm/jwt/helper/SecurityHelper.java | 2 +- .../ts/modules/security/guard/auth.guard.ts | 5 +- 6 files changed, 78 insertions(+), 26 deletions(-) diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java b/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java index b240cbe..42dd494 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java @@ -53,6 +53,9 @@ public class EsiaConfig { @Value("${esia.issuer.url}") private String esiaIssuerUrl; + @Value("${esia.marker.ver}") + private String esiaMarkerVer; + public String getEsiaScopes() { String[] scopeItems = esiaScopes.split(","); return String.join(" ", Arrays.stream(scopeItems).map(String::trim).toArray(String[]::new)); @@ -107,4 +110,8 @@ public class EsiaConfig { public String getEsiaIssuerUrl() { return esiaIssuerUrl; } + + public String getEsiaMarkerVer() { + return esiaMarkerVer; + } } diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/controller/EsiaController.java b/backend/src/main/java/ru/micord/ervu/security/esia/controller/EsiaController.java index 624a505..b6172d0 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/controller/EsiaController.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/controller/EsiaController.java @@ -34,14 +34,15 @@ public class EsiaController { private JwtTokenService jwtTokenService; @RequestMapping(value = "/esia/url") - public String getEsiaUrl() { - return esiaAuthService.generateAuthCodeUrl(); + public String getEsiaUrl(HttpServletResponse response) { + return esiaAuthService.generateAuthCodeUrl(response); } @GetMapping(value = "/esia/auth") - public void esiaAuth(@RequestParam(value = "code", required = false) String code, - HttpServletResponse response) { - esiaAuthService.authEsiaTokensByCode(code, response); + public void esiaAuth(@RequestParam(value = "code") String code, + @RequestParam(value = "state") String state, + HttpServletResponse response, HttpServletRequest request) { + esiaAuthService.authEsiaTokensByCode(code, state, response, request); } @RequestMapping(value = "/esia/refresh") diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java index 007d63a..09f8494 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java @@ -8,13 +8,13 @@ import java.net.http.HttpClient; import java.net.http.HttpRequest; import java.net.http.HttpResponse; import java.nio.charset.StandardCharsets; -import java.time.Duration; -import java.time.ZonedDateTime; +import java.time.*; import java.time.format.DateTimeFormatter; import java.util.LinkedHashMap; import java.util.Map; import java.util.Objects; import java.util.UUID; +import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -25,7 +25,9 @@ import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.support.MessageSourceAccessor; +import org.springframework.http.ResponseCookie; import org.springframework.security.core.context.SecurityContext; +import org.springframework.web.util.WebUtils; import ru.micord.ervu.kafka.model.Document; import ru.micord.ervu.kafka.model.Person; import ru.micord.ervu.kafka.model.Response; @@ -59,6 +61,7 @@ public class EsiaAuthService { private static final Logger LOGGER = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); private static final MessageSourceAccessor MESSAGE_SOURCE = MessageBundleUtils.createAccessor( "messages/common_errors_messages"); + private static final String PRNS_UUID = "prns_uuid"; @Autowired private ObjectMapper objectMapper; @@ -84,13 +87,14 @@ public class EsiaAuthService { @Value("${ervu.kafka.request.topic}") private String requestTopic; - public String generateAuthCodeUrl() { + public String generateAuthCodeUrl(HttpServletResponse response) { try { String clientId = esiaConfig.getClientId(); DateTimeFormatter formatter = DateTimeFormatter.ofPattern("yyyy.MM.dd HH:mm:ss xx"); ZonedDateTime dt = ZonedDateTime.now(); String timestamp = dt.format(formatter); String state = UUID.randomUUID().toString(); + String prnsUUID = UUID.randomUUID().toString(); String redirectUrl = esiaConfig.getRedirectUrl(); String redirectUrlEncoded = redirectUrl.replaceAll(":", "%3A") .replaceAll("/", "%2F"); @@ -104,6 +108,9 @@ public class EsiaAuthService { parameters.put("redirect_uri", esiaConfig.getRedirectUrl()); String clientSecret = signMap(parameters); + EsiaTokensStore.addState(prnsUUID, state); + ResponseCookie prnsCookie = securityHelper.createCookie(PRNS_UUID, prnsUUID, "/").build(); + securityHelper.addResponseCookie(response, prnsCookie); String responseType = "code"; @@ -152,17 +159,21 @@ public class EsiaAuthService { return uriBuilder.toString(); } - public void authEsiaTokensByCode(String esiaAuthCode, HttpServletResponse response) { + public void authEsiaTokensByCode(String esiaAuthCode, String state, HttpServletResponse response, HttpServletRequest request) { String esiaAccessTokenStr = null; String prnOid = null; Long expiresIn = null; long signSecret = 0, requestAccessToken = 0, verifySecret = 0; + String verifyStateResult = verifyStateFromCookie(request, state); + if (verifyStateResult != null) { + throw new EsiaException(verifyStateResult); + } try { String clientId = esiaConfig.getClientId(); DateTimeFormatter formatter = DateTimeFormatter.ofPattern("yyyy.MM.dd HH:mm:ss xx"); ZonedDateTime dt = ZonedDateTime.now(); String timestamp = dt.format(formatter); - String state = UUID.randomUUID().toString(); + String newState = UUID.randomUUID().toString(); String redirectUrl = esiaConfig.getRedirectUrl(); String scope = esiaConfig.getEsiaScopes(); @@ -170,7 +181,7 @@ public class EsiaAuthService { parameters.put("client_id", clientId); parameters.put("scope", scope); parameters.put("timestamp", timestamp); - parameters.put("state", state); + parameters.put("state", newState); parameters.put("redirect_uri", redirectUrl); parameters.put("code", esiaAuthCode); @@ -183,7 +194,7 @@ public class EsiaAuthService { .setParameter("code", esiaAuthCode) .setParameter("grant_type", "authorization_code") .setParameter("client_secret", clientSecret) - .setParameter("state", state) + .setParameter("state", newState) .setParameter("redirect_uri", redirectUrl) .setParameter("scope", scope) .setParameter("timestamp", timestamp) @@ -211,6 +222,9 @@ public class EsiaAuthService { tokenResponse != null ? tokenResponse.getError_description() : "response is empty"; throw new IllegalStateException("Esia response error. " + errMsg); } + if (!tokenResponse.getState().equals(newState)) { + throw new EsiaException("Token invalid. State from request not equals with state from response."); + } esiaAccessTokenStr = tokenResponse.getAccess_token(); startTime = System.currentTimeMillis(); String verifyResult = verifyToken(esiaAccessTokenStr); @@ -416,6 +430,9 @@ public class EsiaAuthService { if (!esiaHeader.getSbt().equals("access")) { return "Token invalid. Token sbt: " + esiaHeader.getSbt() + " invalid"; } + if (!esiaHeader.getVer().equals(esiaConfig.getEsiaMarkerVer())) { + return "Token invalid. Token ver: " + esiaHeader.getVer() + " invalid"; + } if (!esiaHeader.getTyp().equals("JWT")) { return "Token invalid. Token type: " + esiaHeader.getTyp() + " invalid"; } @@ -425,17 +442,16 @@ public class EsiaAuthService { if (!esiaAccessToken.getIss().equals(esiaConfig.getEsiaIssuerUrl())) { return "Token invalid. Token issuer:" + esiaAccessToken.getIss() + " invalid"; } - //TODO SUPPORT-8750 -// LocalDateTime iatTime = LocalDateTime.ofInstant(Instant.ofEpochSecond(esiaAccessToken.getIat()), -// ZoneId.systemDefault() -// ); -// LocalDateTime expTime = LocalDateTime.ofInstant(Instant.ofEpochSecond(esiaAccessToken.getExp()), -// ZoneId.systemDefault() -// ); -// LocalDateTime currentTime = LocalDateTime.now(); -// if (!currentTime.isAfter(iatTime) || !expTime.isAfter(iatTime)) { -// return "Token invalid. Token expired"; -// } + LocalDateTime iatTime = LocalDateTime.ofInstant(Instant.ofEpochSecond(esiaAccessToken.getIat()), + ZoneId.systemDefault() + ); + LocalDateTime expTime = LocalDateTime.ofInstant(Instant.ofEpochSecond(esiaAccessToken.getExp()), + ZoneId.systemDefault() + ); + LocalDateTime currentTime = LocalDateTime.now(); + if (!currentTime.isAfter(iatTime) || !expTime.isAfter(iatTime)) { + return "Token invalid. Token expired"; + } HttpResponse response = signVerify(accessToken); if (response.statusCode() != 200) { if (response.statusCode() == 401) { @@ -463,4 +479,18 @@ public class EsiaAuthService { throw new EsiaException(e); } } + + private String verifyStateFromCookie(HttpServletRequest request, String state) { + Cookie cookie = WebUtils.getCookie(request, PRNS_UUID); + if (cookie == null) { + return "State invalid. Cookie not found"; + } + String prnsUUID = cookie.getValue(); + String oldState = EsiaTokensStore.getState(prnsUUID); + if (oldState == null || !oldState.equals(state)) { + return "State invalid. State from ESIA not equals with state before"; + } + EsiaTokensStore.removeState(prnsUUID); + return null; + } } diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java b/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java index 7f56cc4..9dc37f6 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java @@ -14,6 +14,7 @@ public class EsiaTokensStore { private static final Logger LOGGER = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); private static final Map accessTokensMap = new ConcurrentHashMap<>(); private static final Map refreshTokensMap = new ConcurrentHashMap<>(); + private static final Map prnsUUIDStateMap = new ConcurrentHashMap<>(); public static void addAccessToken(String prnOid, String token, long expiresIn) { if (token != null) { @@ -75,4 +76,16 @@ public class EsiaTokensStore { public static void removeRefreshToken(String prnOid) { refreshTokensMap.remove(prnOid); } + + public static void addState(String prnsUUID, String state) { + prnsUUIDStateMap.put(prnsUUID, state); + } + + public static String getState(String prnsUUID) { + return prnsUUIDStateMap.get(prnsUUID); + } + + public static String removeState(String prnsUUID) { + return prnsUUIDStateMap.remove(prnsUUID); + } } diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java index 9c966f6..f04b0ad 100644 --- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java +++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java @@ -48,7 +48,7 @@ public final class SecurityHelper { addResponseCookie(response, emptyAuthMarker); } - private void addResponseCookie(HttpServletResponse response, ResponseCookie cookie) { + public void addResponseCookie(HttpServletResponse response, ResponseCookie cookie) { response.addHeader(HttpHeaders.SET_COOKIE, cookie.toString()); } diff --git a/frontend/src/ts/modules/security/guard/auth.guard.ts b/frontend/src/ts/modules/security/guard/auth.guard.ts index e6a94c5..a5954a2 100644 --- a/frontend/src/ts/modules/security/guard/auth.guard.ts +++ b/frontend/src/ts/modules/security/guard/auth.guard.ts @@ -25,6 +25,7 @@ export abstract class AuthGuard implements CanActivate { let url = new URL(window.location.href); let params = new URLSearchParams(url.search); let code = params.get('code'); + let state = params.get('state'); let error = params.get('error'); let errorDescription = params.get('error_description'); if (isAccess) { @@ -41,8 +42,8 @@ export abstract class AuthGuard implements CanActivate { this.messageService.error(errorMessage); console.error(consoleError); } - if (code) { - const params = new HttpParams().set('code', code); + if (code && state) { + const params = new HttpParams().set('code', code).set('state', state); this.httpClient.get("esia/auth", { params: params, From 58e9a896b017e9b3fc3ee1005a32759b534566a6 Mon Sep 17 00:00:00 2001 From: Eduard Tihomirov Date: Wed, 26 Feb 2025 09:49:43 +0300 Subject: [PATCH 02/12] SUPPORT-8942: Fix --- .../ervu/security/esia/controller/EsiaController.java | 6 ++---- .../micord/ervu/security/esia/service/EsiaAuthService.java | 6 +++++- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/controller/EsiaController.java b/backend/src/main/java/ru/micord/ervu/security/esia/controller/EsiaController.java index b6172d0..0b0b84b 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/controller/EsiaController.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/controller/EsiaController.java @@ -5,10 +5,8 @@ import java.text.SimpleDateFormat; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.springframework.http.ResponseEntity; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RestController; import ru.micord.ervu.security.esia.model.PersonDataModel; @@ -39,8 +37,8 @@ public class EsiaController { } @GetMapping(value = "/esia/auth") - public void esiaAuth(@RequestParam(value = "code") String code, - @RequestParam(value = "state") String state, + public void esiaAuth(@RequestParam String code, + @RequestParam String state, HttpServletResponse response, HttpServletRequest request) { esiaAuthService.authEsiaTokensByCode(code, state, response, request); } diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java index 09f8494..c894cf0 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java @@ -8,7 +8,11 @@ import java.net.http.HttpClient; import java.net.http.HttpRequest; import java.net.http.HttpResponse; import java.nio.charset.StandardCharsets; -import java.time.*; +import java.time.Duration; +import java.time.Instant; +import java.time.LocalDateTime; +import java.time.ZoneId; +import java.time.ZonedDateTime; import java.time.format.DateTimeFormatter; import java.util.LinkedHashMap; import java.util.Map; From c5fdf582fb74e4b7bfeebcfa77dc9b53bdb6097f Mon Sep 17 00:00:00 2001 From: Eduard Tihomirov Date: Wed, 26 Feb 2025 09:50:37 +0300 Subject: [PATCH 03/12] SUPPORT-8942: Fix --- .../micord/ervu/security/esia/token/EsiaTokensStore.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java b/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java index 9dc37f6..e04159b 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java @@ -14,7 +14,7 @@ public class EsiaTokensStore { private static final Logger LOGGER = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); private static final Map accessTokensMap = new ConcurrentHashMap<>(); private static final Map refreshTokensMap = new ConcurrentHashMap<>(); - private static final Map prnsUUIDStateMap = new ConcurrentHashMap<>(); + private static final Map prnsUuidStateMap = new ConcurrentHashMap<>(); public static void addAccessToken(String prnOid, String token, long expiresIn) { if (token != null) { @@ -78,14 +78,14 @@ public class EsiaTokensStore { } public static void addState(String prnsUUID, String state) { - prnsUUIDStateMap.put(prnsUUID, state); + prnsUuidStateMap.put(prnsUUID, state); } public static String getState(String prnsUUID) { - return prnsUUIDStateMap.get(prnsUUID); + return prnsUuidStateMap.get(prnsUUID); } public static String removeState(String prnsUUID) { - return prnsUUIDStateMap.remove(prnsUUID); + return prnsUuidStateMap.remove(prnsUUID); } } From a05471f98573d2c96f0a68a2f650a29b4f30bb18 Mon Sep 17 00:00:00 2001 From: Eduard Tihomirov Date: Wed, 26 Feb 2025 10:21:03 +0300 Subject: [PATCH 04/12] SUPPORT-8942: Fix --- .../ervu/security/esia/config/EsiaConfig.java | 9 +++++ .../esia/service/EsiaAuthService.java | 6 ++-- .../security/esia/token/EsiaTokensStore.java | 22 ++++++++---- .../security/esia/token/ExpiringState.java | 34 +++++++++++++++++++ .../token/TokensClearShedulerService.java | 1 + 5 files changed, 64 insertions(+), 8 deletions(-) create mode 100644 backend/src/main/java/ru/micord/ervu/security/esia/token/ExpiringState.java diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java b/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java index 42dd494..b56173d 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java @@ -56,6 +56,10 @@ public class EsiaConfig { @Value("${esia.marker.ver}") private String esiaMarkerVer; + @Value("${esia.state.cookie.life.time:60}") + private long esiaStateCookieLifeTime; + + public String getEsiaScopes() { String[] scopeItems = esiaScopes.split(","); return String.join(" ", Arrays.stream(scopeItems).map(String::trim).toArray(String[]::new)); @@ -114,4 +118,9 @@ public class EsiaConfig { public String getEsiaMarkerVer() { return esiaMarkerVer; } + + + public long getEsiaStateCookieLifeTime() { + return esiaStateCookieLifeTime * 60000L; + } } diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java index c894cf0..b88679f 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java @@ -112,8 +112,10 @@ public class EsiaAuthService { parameters.put("redirect_uri", esiaConfig.getRedirectUrl()); String clientSecret = signMap(parameters); - EsiaTokensStore.addState(prnsUUID, state); - ResponseCookie prnsCookie = securityHelper.createCookie(PRNS_UUID, prnsUUID, "/").build(); + EsiaTokensStore.addState(prnsUUID, state, esiaConfig.getEsiaStateCookieLifeTime()); + ResponseCookie prnsCookie = securityHelper.createCookie(PRNS_UUID, prnsUUID, "/") + .maxAge(esiaConfig.getEsiaStateCookieLifeTime()) + .build(); securityHelper.addResponseCookie(response, prnsCookie); String responseType = "code"; diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java b/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java index e04159b..e97f1c2 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java @@ -14,7 +14,7 @@ public class EsiaTokensStore { private static final Logger LOGGER = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); private static final Map accessTokensMap = new ConcurrentHashMap<>(); private static final Map refreshTokensMap = new ConcurrentHashMap<>(); - private static final Map prnsUuidStateMap = new ConcurrentHashMap<>(); + private static final Map prnsUuidStateMap = new ConcurrentHashMap<>(); public static void addAccessToken(String prnOid, String token, long expiresIn) { if (token != null) { @@ -77,15 +77,25 @@ public class EsiaTokensStore { refreshTokensMap.remove(prnOid); } - public static void addState(String prnsUUID, String state) { - prnsUuidStateMap.put(prnsUUID, state); + public static void addState(String prnsUUID, String state, long expiresIn) { + long expiryTime = System.currentTimeMillis() + expiresIn; + prnsUuidStateMap.put(prnsUUID, new ExpiringState(state, expiryTime)); } public static String getState(String prnsUUID) { - return prnsUuidStateMap.get(prnsUUID); + return prnsUuidStateMap.get(prnsUUID).getState(); } - public static String removeState(String prnsUUID) { - return prnsUuidStateMap.remove(prnsUUID); + public static void removeState(String prnsUUID) { + prnsUuidStateMap.remove(prnsUUID); + } + + public static void removeExpiredState() { + for (String key : prnsUuidStateMap.keySet()) { + ExpiringState state = prnsUuidStateMap.get(key); + if (state != null && state.isExpired()) { + prnsUuidStateMap.remove(key); + } + } } } diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/ExpiringState.java b/backend/src/main/java/ru/micord/ervu/security/esia/token/ExpiringState.java new file mode 100644 index 0000000..7466223 --- /dev/null +++ b/backend/src/main/java/ru/micord/ervu/security/esia/token/ExpiringState.java @@ -0,0 +1,34 @@ +package ru.micord.ervu.security.esia.token; + +/** + * @author Eduard Tihomirov + */ +public class ExpiringState { + private String state; + private long expiryTime; + + public ExpiringState(String state, long expiryTime) { + this.state = state; + this.expiryTime = expiryTime; + } + + public String getState() { + return state; + } + + public void setState(String state) { + this.state = state; + } + + public long getExpiryTime() { + return expiryTime; + } + + public void setExpiryTime(long expiryTime) { + this.expiryTime = expiryTime; + } + + boolean isExpired() { + return System.currentTimeMillis() > expiryTime; + } +} diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensClearShedulerService.java b/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensClearShedulerService.java index 89c9db4..3421107 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensClearShedulerService.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensClearShedulerService.java @@ -16,5 +16,6 @@ public class TokensClearShedulerService { public void load() { EsiaTokensStore.removeExpiredRefreshToken(); EsiaTokensStore.removeExpiredAccessToken(); + EsiaTokensStore.removeExpiredState(); } } From 97b811a147175b821d0f914359ed70ec34e4fbe2 Mon Sep 17 00:00:00 2001 From: Eduard Tihomirov Date: Wed, 26 Feb 2025 11:16:12 +0300 Subject: [PATCH 05/12] SUPPORT-8942: Fix --- .../micord/ervu/security/esia/service/EsiaAuthService.java | 5 +++-- .../ervu/security/webbpm/jwt/helper/SecurityHelper.java | 6 ++++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java index b88679f..81d4395 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java @@ -170,7 +170,7 @@ public class EsiaAuthService { String prnOid = null; Long expiresIn = null; long signSecret = 0, requestAccessToken = 0, verifySecret = 0; - String verifyStateResult = verifyStateFromCookie(request, state); + String verifyStateResult = verifyStateFromCookie(request, state, response); if (verifyStateResult != null) { throw new EsiaException(verifyStateResult); } @@ -486,7 +486,7 @@ public class EsiaAuthService { } } - private String verifyStateFromCookie(HttpServletRequest request, String state) { + private String verifyStateFromCookie(HttpServletRequest request, String state, HttpServletResponse response) { Cookie cookie = WebUtils.getCookie(request, PRNS_UUID); if (cookie == null) { return "State invalid. Cookie not found"; @@ -497,6 +497,7 @@ public class EsiaAuthService { return "State invalid. State from ESIA not equals with state before"; } EsiaTokensStore.removeState(prnsUUID); + securityHelper.clearCookie(response, PRNS_UUID, "/"); return null; } } diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java index f04b0ad..3f002db 100644 --- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java +++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java @@ -48,6 +48,12 @@ public final class SecurityHelper { addResponseCookie(response, emptyAuthMarker); } + public void clearCookie(HttpServletResponse response, String name, String path) { + ResponseCookie emptyCookie = createCookie(name, null, path) + .maxAge(0).build(); + addResponseCookie(response, emptyCookie); + } + public void addResponseCookie(HttpServletResponse response, ResponseCookie cookie) { response.addHeader(HttpHeaders.SET_COOKIE, cookie.toString()); } From 70302efb77b153e53ae64e9f515e25ecbbee510f Mon Sep 17 00:00:00 2001 From: Eduard Tihomirov Date: Wed, 26 Feb 2025 11:21:55 +0300 Subject: [PATCH 06/12] SUPPORT-8942: Fix --- .../java/ru/micord/ervu/security/esia/config/EsiaConfig.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java b/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java index b56173d..795af0e 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java @@ -56,7 +56,7 @@ public class EsiaConfig { @Value("${esia.marker.ver}") private String esiaMarkerVer; - @Value("${esia.state.cookie.life.time:60}") + @Value("${esia.state.cookie.life.time.min:60}") private long esiaStateCookieLifeTime; From c640b82a0061cd61e66f10881119d0770bc27531 Mon Sep 17 00:00:00 2001 From: Eduard Tihomirov Date: Wed, 26 Feb 2025 12:14:09 +0300 Subject: [PATCH 07/12] SUPPORT-8942: Fix --- .../ru/micord/ervu/security/esia/config/EsiaConfig.java | 2 +- .../micord/ervu/security/esia/service/EsiaAuthService.java | 7 ------- .../micord/ervu/security/esia/token/EsiaTokensStore.java | 2 +- 3 files changed, 2 insertions(+), 9 deletions(-) diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java b/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java index 795af0e..00f3abe 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java @@ -121,6 +121,6 @@ public class EsiaConfig { public long getEsiaStateCookieLifeTime() { - return esiaStateCookieLifeTime * 60000L; + return esiaStateCookieLifeTime * 60L; } } diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java index 81d4395..8a1a54e 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java @@ -410,13 +410,6 @@ public class EsiaAuthService { return person; } - private String getMessageId(Exception exception) { - return Integer.toUnsignedString(Objects - .hashCode(getCurrentUserEsiaId()), 36) - + "-" - + Integer.toUnsignedString(exception.hashCode(), 36); - } - private void createTokenAndAddCookie(HttpServletResponse response, String userId, String ervuId, Long expiresIn) { Token token = jwtTokenService.createAccessToken(userId, expiresIn, ervuId); diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java b/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java index e97f1c2..dcd5c2d 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java @@ -78,7 +78,7 @@ public class EsiaTokensStore { } public static void addState(String prnsUUID, String state, long expiresIn) { - long expiryTime = System.currentTimeMillis() + expiresIn; + long expiryTime = System.currentTimeMillis() + expiresIn * 1000L; prnsUuidStateMap.put(prnsUUID, new ExpiringState(state, expiryTime)); } From cb1d4b273089f639dbc837e7e3d2322afd41bf30 Mon Sep 17 00:00:00 2001 From: Eduard Tihomirov Date: Wed, 26 Feb 2025 12:16:06 +0300 Subject: [PATCH 08/12] SUPPORT-8942: Fix --- .../ervu/security/esia/token/TokensClearShedulerService.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensClearShedulerService.java b/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensClearShedulerService.java index 3421107..fdc9834 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensClearShedulerService.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensClearShedulerService.java @@ -13,7 +13,7 @@ public class TokensClearShedulerService { @Scheduled(cron = "${esia.token.clear.cron:0 0 */1 * * *}") @SchedulerLock(name = "clearToken") @Transactional - public void load() { + public void clear() { EsiaTokensStore.removeExpiredRefreshToken(); EsiaTokensStore.removeExpiredAccessToken(); EsiaTokensStore.removeExpiredState(); From 91c9214560568a58c3b80b3f11e1679cacc01fb0 Mon Sep 17 00:00:00 2001 From: Eduard Tihomirov Date: Wed, 26 Feb 2025 12:29:48 +0300 Subject: [PATCH 09/12] SUPPORT-8942: Fix --- .../ervu/controller/ExtractController.java | 4 ++-- .../ervu/security/esia/config/EsiaConfig.java | 4 ++-- .../esia/service/EsiaAuthService.java | 22 +++++++++---------- ... => EsiaAuthInfoClearShedulerService.java} | 8 +++---- ...okensStore.java => EsiaAuthInfoStore.java} | 2 +- .../webbpm/jwt/service/JwtTokenService.java | 8 +++---- 6 files changed, 23 insertions(+), 25 deletions(-) rename backend/src/main/java/ru/micord/ervu/security/esia/token/{TokensClearShedulerService.java => EsiaAuthInfoClearShedulerService.java} (70%) rename backend/src/main/java/ru/micord/ervu/security/esia/token/{EsiaTokensStore.java => EsiaAuthInfoStore.java} (98%) diff --git a/backend/src/main/java/ru/micord/ervu/controller/ExtractController.java b/backend/src/main/java/ru/micord/ervu/controller/ExtractController.java index abce7e2..77d659b 100644 --- a/backend/src/main/java/ru/micord/ervu/controller/ExtractController.java +++ b/backend/src/main/java/ru/micord/ervu/controller/ExtractController.java @@ -24,7 +24,7 @@ import ru.micord.ervu.kafka.dto.FullExtract; import ru.micord.ervu.kafka.service.ReplyingKafkaService; import ru.micord.ervu.security.esia.model.PersonModel; import ru.micord.ervu.security.esia.service.PersonalDataService; -import ru.micord.ervu.security.esia.token.EsiaTokensStore; +import ru.micord.ervu.security.esia.token.EsiaAuthInfoStore; import ru.micord.ervu.security.webbpm.jwt.UserIdsPair; import ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil; @@ -69,7 +69,7 @@ public class ExtractController { } else { String esiaUserId = userIdsPair.getEsiaUserId(); // esiaUserId is not null here - String esiaAccessToken = EsiaTokensStore.getAccessToken(esiaUserId); + String esiaAccessToken = EsiaAuthInfoStore.getAccessToken(esiaUserId); PersonModel personModel = personalDataService.getPersonModel(esiaAccessToken); ExtractEmptyRequestDto emptyRequest = new ExtractEmptyRequestDto( diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java b/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java index 00f3abe..242dd16 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/config/EsiaConfig.java @@ -56,7 +56,7 @@ public class EsiaConfig { @Value("${esia.marker.ver}") private String esiaMarkerVer; - @Value("${esia.state.cookie.life.time.min:60}") + @Value("${esia.state.cookie.life.time:300}") private long esiaStateCookieLifeTime; @@ -121,6 +121,6 @@ public class EsiaConfig { public long getEsiaStateCookieLifeTime() { - return esiaStateCookieLifeTime * 60L; + return esiaStateCookieLifeTime; } } diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java index 8a1a54e..67efc80 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java @@ -16,7 +16,6 @@ import java.time.ZonedDateTime; import java.time.format.DateTimeFormatter; import java.util.LinkedHashMap; import java.util.Map; -import java.util.Objects; import java.util.UUID; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; @@ -42,7 +41,7 @@ import ru.micord.ervu.security.esia.model.EsiaHeader; import ru.micord.ervu.security.esia.model.EsiaTokenResponse; import ru.micord.ervu.security.esia.model.FormUrlencoded; import ru.micord.ervu.security.esia.model.PersonModel; -import ru.micord.ervu.security.esia.token.EsiaTokensStore; +import ru.micord.ervu.security.esia.token.EsiaAuthInfoStore; import ru.micord.ervu.security.esia.config.EsiaConfig; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.HttpHeaders; @@ -54,7 +53,6 @@ import ru.micord.ervu.security.webbpm.jwt.helper.SecurityHelper; import ru.micord.ervu.security.webbpm.jwt.service.JwtTokenService; import ru.micord.ervu.security.webbpm.jwt.model.Token; -import static ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil.getCurrentUserEsiaId; import ru.cg.webbpm.modules.core.runtime.api.MessageBundleUtils; /** @@ -112,7 +110,7 @@ public class EsiaAuthService { parameters.put("redirect_uri", esiaConfig.getRedirectUrl()); String clientSecret = signMap(parameters); - EsiaTokensStore.addState(prnsUUID, state, esiaConfig.getEsiaStateCookieLifeTime()); + EsiaAuthInfoStore.addState(prnsUUID, state, esiaConfig.getEsiaStateCookieLifeTime()); ResponseCookie prnsCookie = securityHelper.createCookie(PRNS_UUID, prnsUUID, "/") .maxAge(esiaConfig.getEsiaStateCookieLifeTime()) .build(); @@ -242,8 +240,8 @@ public class EsiaAuthService { EsiaAccessToken esiaAccessToken = personalDataService.readToken(esiaAccessTokenStr); prnOid = esiaAccessToken.getSbj_id(); expiresIn = tokenResponse.getExpires_in(); - EsiaTokensStore.addAccessToken(prnOid, esiaAccessTokenStr, expiresIn); - EsiaTokensStore.addRefreshToken(prnOid, esiaRefreshTokenStr, expiresIn); + EsiaAuthInfoStore.addAccessToken(prnOid, esiaAccessTokenStr, expiresIn); + EsiaAuthInfoStore.addRefreshToken(prnOid, esiaRefreshTokenStr, expiresIn); } catch (Exception e) { throw new EsiaException(e); @@ -324,8 +322,8 @@ public class EsiaAuthService { EsiaAccessToken esiaAccessToken = personalDataService.readToken(esiaAccessTokenStr); String prnOid = esiaAccessToken.getSbj_id(); Long expiresIn = tokenResponse.getExpires_in(); - EsiaTokensStore.addAccessToken(prnOid, esiaAccessTokenStr, expiresIn); - EsiaTokensStore.addRefreshToken(prnOid, esiaNewRefreshTokenStr, expiresIn); + EsiaAuthInfoStore.addAccessToken(prnOid, esiaAccessTokenStr, expiresIn); + EsiaAuthInfoStore.addRefreshToken(prnOid, esiaNewRefreshTokenStr, expiresIn); PersonModel personModel = personalDataService.getPersonModel(esiaAccessTokenStr); Response ervuIdResponse = getErvuIdResponse(personModel); createTokenAndAddCookie(response, esiaAccessToken.getSbj_id(), ervuIdResponse.getErvuId(), expiresIn); @@ -372,8 +370,8 @@ public class EsiaAuthService { try { securityHelper.clearAccessCookies(response); String userId = jwtTokenService.getUserAccountId(request); - EsiaTokensStore.removeAccessToken(userId); - EsiaTokensStore.removeRefreshToken(userId); + EsiaAuthInfoStore.removeAccessToken(userId); + EsiaAuthInfoStore.removeRefreshToken(userId); String logoutUrl = esiaConfig.getEsiaBaseUri() + esiaConfig.getEsiaLogoutUrl(); String redirectUrl = esiaConfig.getLogoutRedirectUrl(); URL url = new URL(logoutUrl); @@ -485,11 +483,11 @@ public class EsiaAuthService { return "State invalid. Cookie not found"; } String prnsUUID = cookie.getValue(); - String oldState = EsiaTokensStore.getState(prnsUUID); + String oldState = EsiaAuthInfoStore.getState(prnsUUID); if (oldState == null || !oldState.equals(state)) { return "State invalid. State from ESIA not equals with state before"; } - EsiaTokensStore.removeState(prnsUUID); + EsiaAuthInfoStore.removeState(prnsUUID); securityHelper.clearCookie(response, PRNS_UUID, "/"); return null; } diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensClearShedulerService.java b/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaAuthInfoClearShedulerService.java similarity index 70% rename from backend/src/main/java/ru/micord/ervu/security/esia/token/TokensClearShedulerService.java rename to backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaAuthInfoClearShedulerService.java index fdc9834..fccce36 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensClearShedulerService.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaAuthInfoClearShedulerService.java @@ -9,13 +9,13 @@ import org.springframework.transaction.annotation.Transactional; * @author Eduard Tihomirov */ @Service -public class TokensClearShedulerService { +public class EsiaAuthInfoClearShedulerService { @Scheduled(cron = "${esia.token.clear.cron:0 0 */1 * * *}") @SchedulerLock(name = "clearToken") @Transactional public void clear() { - EsiaTokensStore.removeExpiredRefreshToken(); - EsiaTokensStore.removeExpiredAccessToken(); - EsiaTokensStore.removeExpiredState(); + EsiaAuthInfoStore.removeExpiredRefreshToken(); + EsiaAuthInfoStore.removeExpiredAccessToken(); + EsiaAuthInfoStore.removeExpiredState(); } } diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java b/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaAuthInfoStore.java similarity index 98% rename from backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java rename to backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaAuthInfoStore.java index dcd5c2d..ee8ea8a 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaAuthInfoStore.java @@ -10,7 +10,7 @@ import org.slf4j.LoggerFactory; /** * @author Eduard Tihomirov */ -public class EsiaTokensStore { +public class EsiaAuthInfoStore { private static final Logger LOGGER = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); private static final Map accessTokensMap = new ConcurrentHashMap<>(); private static final Map refreshTokensMap = new ConcurrentHashMap<>(); diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java index a7dc81c..7ca9332 100644 --- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java +++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java @@ -14,7 +14,7 @@ import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.stereotype.Component; -import ru.micord.ervu.security.esia.token.EsiaTokensStore; +import ru.micord.ervu.security.esia.token.EsiaAuthInfoStore; import ru.micord.ervu.security.webbpm.jwt.UserIdsPair; import ru.micord.ervu.security.webbpm.jwt.model.Token; @@ -67,7 +67,7 @@ public class JwtTokenService { return false; } String esiaUserId = new UserIdsPair(token.getUserAccountId()).getEsiaUserId(); - return EsiaTokensStore.validateAccessToken(esiaUserId); + return EsiaAuthInfoStore.validateAccessToken(esiaUserId); } public Token getToken(String token) { @@ -80,11 +80,11 @@ public class JwtTokenService { } public String getAccessToken(HttpServletRequest request) { - return EsiaTokensStore.getAccessToken(getUserAccountId(request)); + return EsiaAuthInfoStore.getAccessToken(getUserAccountId(request)); } public String getRefreshToken(HttpServletRequest request) { - return EsiaTokensStore.getRefreshToken(getUserAccountId(request)); + return EsiaAuthInfoStore.getRefreshToken(getUserAccountId(request)); } public String getUserAccountId(HttpServletRequest request) { From c2c022d261550e6aa95d5eb614bbd5a05448b542 Mon Sep 17 00:00:00 2001 From: Eduard Tihomirov Date: Wed, 26 Feb 2025 12:32:29 +0300 Subject: [PATCH 10/12] SUPPORT-8942: Fix --- .../security/esia/token/EsiaAuthInfoClearShedulerService.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaAuthInfoClearShedulerService.java b/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaAuthInfoClearShedulerService.java index fccce36..caea622 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaAuthInfoClearShedulerService.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaAuthInfoClearShedulerService.java @@ -13,7 +13,7 @@ public class EsiaAuthInfoClearShedulerService { @Scheduled(cron = "${esia.token.clear.cron:0 0 */1 * * *}") @SchedulerLock(name = "clearToken") @Transactional - public void clear() { + public void run() { EsiaAuthInfoStore.removeExpiredRefreshToken(); EsiaAuthInfoStore.removeExpiredAccessToken(); EsiaAuthInfoStore.removeExpiredState(); From f7c234bd5011f68591850aee1f74f3f33fb59373 Mon Sep 17 00:00:00 2001 From: Eduard Tihomirov Date: Wed, 26 Feb 2025 12:44:07 +0300 Subject: [PATCH 11/12] SUPPORT-8942: Fix --- .../java/ru/micord/ervu/controller/ExtractController.java | 2 +- .../ervu/security/esia/{token => }/EsiaAuthInfoStore.java | 4 +++- .../ervu/security/esia/{token => model}/ExpiringState.java | 4 ++-- .../ervu/security/esia/{token => model}/ExpiringToken.java | 4 ++-- .../EsiaAuthInfoClearShedulerService.java | 7 ++++--- .../micord/ervu/security/esia/service/EsiaAuthService.java | 2 +- .../ervu/security/webbpm/jwt/service/JwtTokenService.java | 2 +- config/standalone/dev/standalone.xml | 2 +- 8 files changed, 15 insertions(+), 12 deletions(-) rename backend/src/main/java/ru/micord/ervu/security/esia/{token => }/EsiaAuthInfoStore.java (95%) rename backend/src/main/java/ru/micord/ervu/security/esia/{token => model}/ExpiringState.java (88%) rename backend/src/main/java/ru/micord/ervu/security/esia/{token => model}/ExpiringToken.java (89%) rename backend/src/main/java/ru/micord/ervu/security/esia/{token => service}/EsiaAuthInfoClearShedulerService.java (70%) diff --git a/backend/src/main/java/ru/micord/ervu/controller/ExtractController.java b/backend/src/main/java/ru/micord/ervu/controller/ExtractController.java index 77d659b..1b90386 100644 --- a/backend/src/main/java/ru/micord/ervu/controller/ExtractController.java +++ b/backend/src/main/java/ru/micord/ervu/controller/ExtractController.java @@ -24,7 +24,7 @@ import ru.micord.ervu.kafka.dto.FullExtract; import ru.micord.ervu.kafka.service.ReplyingKafkaService; import ru.micord.ervu.security.esia.model.PersonModel; import ru.micord.ervu.security.esia.service.PersonalDataService; -import ru.micord.ervu.security.esia.token.EsiaAuthInfoStore; +import ru.micord.ervu.security.esia.EsiaAuthInfoStore; import ru.micord.ervu.security.webbpm.jwt.UserIdsPair; import ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil; diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaAuthInfoStore.java b/backend/src/main/java/ru/micord/ervu/security/esia/EsiaAuthInfoStore.java similarity index 95% rename from backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaAuthInfoStore.java rename to backend/src/main/java/ru/micord/ervu/security/esia/EsiaAuthInfoStore.java index ee8ea8a..a127eec 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaAuthInfoStore.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/EsiaAuthInfoStore.java @@ -1,4 +1,4 @@ -package ru.micord.ervu.security.esia.token; +package ru.micord.ervu.security.esia; import java.lang.invoke.MethodHandles; import java.util.Map; @@ -6,6 +6,8 @@ import java.util.concurrent.ConcurrentHashMap; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import ru.micord.ervu.security.esia.model.ExpiringState; +import ru.micord.ervu.security.esia.model.ExpiringToken; /** * @author Eduard Tihomirov diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/ExpiringState.java b/backend/src/main/java/ru/micord/ervu/security/esia/model/ExpiringState.java similarity index 88% rename from backend/src/main/java/ru/micord/ervu/security/esia/token/ExpiringState.java rename to backend/src/main/java/ru/micord/ervu/security/esia/model/ExpiringState.java index 7466223..7584b66 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/token/ExpiringState.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/model/ExpiringState.java @@ -1,4 +1,4 @@ -package ru.micord.ervu.security.esia.token; +package ru.micord.ervu.security.esia.model; /** * @author Eduard Tihomirov @@ -28,7 +28,7 @@ public class ExpiringState { this.expiryTime = expiryTime; } - boolean isExpired() { + public boolean isExpired() { return System.currentTimeMillis() > expiryTime; } } diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/ExpiringToken.java b/backend/src/main/java/ru/micord/ervu/security/esia/model/ExpiringToken.java similarity index 89% rename from backend/src/main/java/ru/micord/ervu/security/esia/token/ExpiringToken.java rename to backend/src/main/java/ru/micord/ervu/security/esia/model/ExpiringToken.java index f6a476e..a20b88c 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/token/ExpiringToken.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/model/ExpiringToken.java @@ -1,4 +1,4 @@ -package ru.micord.ervu.security.esia.token; +package ru.micord.ervu.security.esia.model; /** * @author Eduard Tihomirov @@ -28,7 +28,7 @@ public class ExpiringToken { this.expiryTime = expiryTime; } - boolean isExpired() { + public boolean isExpired() { return System.currentTimeMillis() > expiryTime; } } diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaAuthInfoClearShedulerService.java b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthInfoClearShedulerService.java similarity index 70% rename from backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaAuthInfoClearShedulerService.java rename to backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthInfoClearShedulerService.java index caea622..299876f 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaAuthInfoClearShedulerService.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthInfoClearShedulerService.java @@ -1,17 +1,18 @@ -package ru.micord.ervu.security.esia.token; +package ru.micord.ervu.security.esia.service; import net.javacrumbs.shedlock.core.SchedulerLock; import org.springframework.scheduling.annotation.Scheduled; import org.springframework.stereotype.Service; import org.springframework.transaction.annotation.Transactional; +import ru.micord.ervu.security.esia.EsiaAuthInfoStore; /** * @author Eduard Tihomirov */ @Service public class EsiaAuthInfoClearShedulerService { - @Scheduled(cron = "${esia.token.clear.cron:0 0 */1 * * *}") - @SchedulerLock(name = "clearToken") + @Scheduled(cron = "${esia.auth.info.clear.cron:0 0 */1 * * *}") + @SchedulerLock(name = "clearAuthInfo") @Transactional public void run() { EsiaAuthInfoStore.removeExpiredRefreshToken(); diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java index 67efc80..9bfee2e 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java @@ -41,7 +41,7 @@ import ru.micord.ervu.security.esia.model.EsiaHeader; import ru.micord.ervu.security.esia.model.EsiaTokenResponse; import ru.micord.ervu.security.esia.model.FormUrlencoded; import ru.micord.ervu.security.esia.model.PersonModel; -import ru.micord.ervu.security.esia.token.EsiaAuthInfoStore; +import ru.micord.ervu.security.esia.EsiaAuthInfoStore; import ru.micord.ervu.security.esia.config.EsiaConfig; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.HttpHeaders; diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java index 7ca9332..f3bf402 100644 --- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java +++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java @@ -14,7 +14,7 @@ import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.stereotype.Component; -import ru.micord.ervu.security.esia.token.EsiaAuthInfoStore; +import ru.micord.ervu.security.esia.EsiaAuthInfoStore; import ru.micord.ervu.security.webbpm.jwt.UserIdsPair; import ru.micord.ervu.security.webbpm.jwt.model.Token; diff --git a/config/standalone/dev/standalone.xml b/config/standalone/dev/standalone.xml index bce507f..dd6e0df 100644 --- a/config/standalone/dev/standalone.xml +++ b/config/standalone/dev/standalone.xml @@ -79,7 +79,7 @@ - + From dd88953f8d521e57622366d299ca357ceed40b73 Mon Sep 17 00:00:00 2001 From: Eduard Tihomirov Date: Wed, 26 Feb 2025 14:10:05 +0300 Subject: [PATCH 12/12] SUPPORT-8942: Fix --- config/local.env | 2 +- config/micord.env | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/local.env b/config/local.env index 65cf00d..6ad794c 100644 --- a/config/local.env +++ b/config/local.env @@ -35,5 +35,5 @@ ERVU_KAFKA_REGISTRY_EXTRACT_REPLY_TOPIC=ervu.extract.info.response ERVU_KAFKA_EXTRACT_HEADER_CLASS=request@urn://rostelekom.ru/ERVU-extractFromRegistryTR/1.0.3 ERVU_KAFKA_DOC_LOGIN_MODULE=org.apache.kafka.common.security.plain.PlainLoginModule -ESIA_TOKEN_CLEAR_CRON=0 0 */1 * * * +ESIA_AUTH_INFO_CLEAR_CRON=0 0 */1 * * * COOKIE_PATH=/fl diff --git a/config/micord.env b/config/micord.env index 99cd3d6..d0993cc 100644 --- a/config/micord.env +++ b/config/micord.env @@ -34,5 +34,5 @@ ERVU_KAFKA_REGISTRY_EXTRACT_REPLY_TOPIC=ervu.extract.info.response ERVU_KAFKA_EXTRACT_HEADER_CLASS=request@urn://rostelekom.ru/ERVU-extractFromRegistryTR/1.0.3 ERVU_KAFKA_DOC_LOGIN_MODULE=org.apache.kafka.common.security.scram.ScramLoginModule -ESIA_TOKEN_CLEAR_CRON=0 0 */1 * * * +ESIA_AUTH_INFO_CLEAR_CRON=0 0 */1 * * * COOKIE_PATH=/fl