Merge branch 'feature/SUPPORT-8755_new' into hotfix/1.9.3

2024-12-25 16:48:57 +03:00 · 2024-12-25 16:48:57 +03:00 · c5baf9028f
commit c5baf9028f
parent 23f6b040ff 3f0a7fa5c1
7 changed files with 62 additions and 48 deletions
--- a/backend/src/main/java/ru/micord/ervu/security/SecurityConfig.java
+++ b/backend/src/main/java/ru/micord/ervu/security/SecurityConfig.java
@ -25,7 +25,6 @@ import ru.micord.ervu.security.webbpm.jwt.JwtMatcher;
 import ru.micord.ervu.security.webbpm.jwt.UnauthorizedEntryPoint;
 import ru.micord.ervu.security.webbpm.jwt.filter.JwtAuthenticationFilter;
 import ru.micord.ervu.security.webbpm.jwt.helper.SecurityHelper;
 import ru.micord.ervu.security.webbpm.jwt.service.JwtTokenService;
 import static ru.micord.ervu.security.SecurityConstants.ESIA_LOGOUT;
@ -105,10 +104,9 @@ public class SecurityConfig {
  @Bean
  public JwtAuthenticationFilter jwtAuthenticationFilter(SecurityHelper securityHelper,
-                                                         AuthenticationManager manager,
+                                                         AuthenticationManager manager) {
                                                         JwtTokenService jwtTokenService) {
    JwtAuthenticationFilter jwtAuthenticationFilter = new JwtAuthenticationFilter(
-        new JwtMatcher("/**", PERMIT_ALL), entryPoint(), securityHelper, jwtTokenService);
+        new JwtMatcher("/**", PERMIT_ALL), entryPoint(), securityHelper);
    jwtAuthenticationFilter.setAuthenticationManager(manager);
    return jwtAuthenticationFilter;
  }
--- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java
+++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java
@ -27,7 +27,7 @@ import ru.micord.ervu.kafka.model.Document;
 import ru.micord.ervu.kafka.model.Person;
 import ru.micord.ervu.kafka.model.Response;
 import ru.micord.ervu.kafka.service.ReplyingKafkaService;
-import ru.micord.ervu.security.esia.token.TokensStore;
+import ru.micord.ervu.security.esia.token.EsiaTokensStore;
 import ru.micord.ervu.security.esia.config.EsiaConfig;
 import ru.micord.ervu.security.esia.model.FormUrlencoded;
 import ru.micord.ervu.security.esia.model.EsiaAccessToken;
@ -199,8 +199,8 @@ public class EsiaAuthService {
      EsiaAccessToken esiaAccessToken = personalDataService.readToken(esiaAccessTokenStr);
      String prnOid = esiaAccessToken.getSbj_id();
      Long expiresIn = tokenResponse.getExpires_in();
-      TokensStore.addAccessToken(prnOid, esiaAccessTokenStr, expiresIn);
+      EsiaTokensStore.addAccessToken(prnOid, esiaAccessTokenStr, expiresIn);
-      TokensStore.addRefreshToken(prnOid, esiaRefreshTokenStr, expiresIn);
+      EsiaTokensStore.addRefreshToken(prnOid, esiaRefreshTokenStr, expiresIn);
      Response ervuIdResponse = getErvuIdResponse(esiaAccessTokenStr);
      Token token = jwtTokenService.createAccessToken(esiaAccessToken.getSbj_id(), expiresIn, ervuIdResponse.getErvuId());
      int expiry = tokenResponse.getExpires_in().intValue();
@ -276,8 +276,8 @@ public class EsiaAuthService {
      EsiaAccessToken esiaAccessToken = personalDataService.readToken(esiaAccessTokenStr);
      String prnOid = esiaAccessToken.getSbj_id();
      Long expiresIn = tokenResponse.getExpires_in();
-      TokensStore.addAccessToken(prnOid, esiaAccessTokenStr, expiresIn);
+      EsiaTokensStore.addAccessToken(prnOid, esiaAccessTokenStr, expiresIn);
-      TokensStore.addRefreshToken(prnOid, esiaNewRefreshTokenStr, expiresIn);
+      EsiaTokensStore.addRefreshToken(prnOid, esiaNewRefreshTokenStr, expiresIn);
      Response ervuIdResponse = getErvuIdResponse(esiaAccessTokenStr);
      Token token = jwtTokenService.createAccessToken(esiaAccessToken.getSbj_id(), expiresIn, ervuIdResponse.getErvuId());
      int expiry = tokenResponse.getExpires_in().intValue();
@ -335,8 +335,8 @@ public class EsiaAuthService {
    try {
      securityHelper.clearAccessCookies(response);
      String userId = jwtTokenService.getUserAccountId(request);
-      TokensStore.removeAccessToken(userId);
+      EsiaTokensStore.removeAccessToken(userId);
-      TokensStore.removeRefreshToken(userId);
+      EsiaTokensStore.removeRefreshToken(userId);
      String logoutUrl = esiaConfig.getEsiaBaseUri() + esiaConfig.getEsiaLogoutUrl();
      String redirectUrl = esiaConfig.getRedirectUrl();
      URL url = new URL(logoutUrl);
--- a/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java
+++ b/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java
@ -1,12 +1,17 @@
 package ru.micord.ervu.security.esia.token;
 import java.lang.invoke.MethodHandles;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 /**
 * @author Eduard Tihomirov
 */
-public class TokensStore {
+public class EsiaTokensStore {
  private static final Logger LOGGER = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
  private static final Map<String, ExpiringToken> accessTokensMap = new ConcurrentHashMap<>();
  private static final Map<String, ExpiringToken> refreshTokensMap = new ConcurrentHashMap<>();
@ -21,6 +26,19 @@ public class TokensStore {
    return accessTokensMap.get(prnOid).getAccessToken();
  }
  public static boolean validateAccessToken(String prnOid) {
    ExpiringToken token = accessTokensMap.get(prnOid);
    if (token == null || token.getAccessToken() == null) {
      LOGGER.error("No ESIA access token for prnOid: " + prnOid);
      return false;
    }
    else if (token.isExpired()) {
      LOGGER.error("ESIA access token expired for prnOid: " + prnOid);
      return false;
    }
    return true;
  }
  public static void removeExpiredAccessToken() {
    for (String key : accessTokensMap.keySet()) {
      ExpiringToken token = accessTokensMap.get(key);
--- a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensClearShedulerService.java
+++ b/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensClearShedulerService.java
@ -14,7 +14,7 @@ public class TokensClearShedulerService {
  @SchedulerLock(name = "clearToken")
  @Transactional
  public void load() {
-    TokensStore.removeExpiredRefreshToken();
+    EsiaTokensStore.removeExpiredRefreshToken();
-    TokensStore.removeExpiredAccessToken();
+    EsiaTokensStore.removeExpiredAccessToken();
  }
 }
--- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/JwtAuthenticationProvider.java
+++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/JwtAuthenticationProvider.java
@ -2,6 +2,8 @@ package ru.micord.ervu.security.webbpm.jwt;
 import java.util.Collections;
 import javax.servlet.http.HttpServletRequest;
 import io.jsonwebtoken.ExpiredJwtException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.AuthenticationProvider;
@ -11,9 +13,13 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.stereotype.Component;
 import org.springframework.web.context.request.RequestAttributes;
 import org.springframework.web.context.request.RequestContextHolder;
 import ru.micord.ervu.security.webbpm.jwt.model.Token;
 import ru.micord.ervu.security.webbpm.jwt.service.JwtTokenService;
 import static org.springframework.web.context.request.RequestAttributes.REFERENCE_REQUEST;
@Component
 public class JwtAuthenticationProvider implements AuthenticationProvider {
@ -42,16 +48,26 @@ public class JwtAuthenticationProvider implements AuthenticationProvider {
      throw new BadCredentialsException("Authentication Failed.", e);
    }
-    if (!jwtTokenService.isValid(token)) {
+    if (jwtTokenService.isValid(token)) {
-      throw new BadCredentialsException("Auth token is not valid for user " + token.getUserAccountId());
+      RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
      HttpServletRequest request = (HttpServletRequest) requestAttributes.resolveReference(
          REFERENCE_REQUEST);
      String[] ids = token.getUserAccountId().split(":");
      if (request == null) {
        throw new IllegalStateException("No request found in request attributes");
      }
      if (request.getRequestURI().endsWith("esia/logout") || ids.length == 2) {
        UsernamePasswordAuthenticationToken pwdToken =
            UsernamePasswordAuthenticationToken.authenticated(token.getUserAccountId(), null,
                Collections.emptyList()
            );
        return new JwtAuthentication(pwdToken, token.getUserAccountId(), token.getValue());
      }
    }
-    UsernamePasswordAuthenticationToken pwdToken =
+    throw new BadCredentialsException(
-        UsernamePasswordAuthenticationToken.authenticated(token.getUserAccountId(), null,
+        "Auth token is not valid for user " + token.getUserAccountId());
            Collections.emptyList()
        );
    return new JwtAuthentication(pwdToken, token.getUserAccountId(), token.getValue());
  }
  @Override
--- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java
+++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java
@ -16,6 +16,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import ru.micord.ervu.security.esia.token.EsiaTokensStore;
 import ru.micord.ervu.security.webbpm.jwt.JwtAuthentication;
 import ru.micord.ervu.security.webbpm.jwt.helper.SecurityHelper;
 import ru.micord.ervu.security.webbpm.jwt.model.Token;
@ -35,16 +36,12 @@ public class JwtAuthenticationFilter extends AbstractAuthenticationProcessingFil
  private final SecurityHelper securityHelper;
  private final JwtTokenService jwtTokenService;
  public JwtAuthenticationFilter(RequestMatcher requestMatcher,
                                 AuthenticationEntryPoint entryPoint,
-                                 SecurityHelper securityHelper,
+                                 SecurityHelper securityHelper) {
                                 JwtTokenService jwtTokenService) {
    super(requestMatcher);
    this.entryPoint = entryPoint;
    this.securityHelper = securityHelper;
    this.jwtTokenService = jwtTokenService;
  }
  @Override
@ -58,18 +55,11 @@ public class JwtAuthenticationFilter extends AbstractAuthenticationProcessingFil
    }
    try {
      authentication = getAuthenticationManager().authenticate(authentication);
      if (!httpServletRequest.getRequestURI().endsWith("esia/logout")) {
        Token token = jwtTokenService.getToken(tokenStr);
        String[] ids = token.getUserAccountId().split(":");
        if (ids.length != 2) {
          throw new CredentialsExpiredException("Invalid token. User has no ervuId");
        }
      }
    }
-    catch (CredentialsExpiredException e) {
+    catch (AuthenticationException e) {
      LOGGER.warn(e.getMessage());
      securityHelper.clearAccessCookies(httpServletResponse);
      httpServletResponse.setStatus(401);
      LOGGER.warn(e.getMessage());
      return null;
    }
    return authentication;
--- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java
+++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java
@ -14,7 +14,7 @@ import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
-import ru.micord.ervu.security.esia.token.TokensStore;
+import ru.micord.ervu.security.esia.token.EsiaTokensStore;
 import ru.micord.ervu.security.webbpm.jwt.model.Token;
 import ru.cg.webbpm.modules.resources.api.ResourceMetadataUtils;
@ -34,9 +34,6 @@ public class JwtTokenService {
          ResourceMetadataUtils.PROJECT_GROUP_ID + "." + ResourceMetadataUtils.PROJECT_ARTIFACT_ID;
  private final SecretKey SIGNING_KEY;
  @Autowired
  private HttpServletRequest request;
  @Autowired
  public JwtTokenService(@Value("${webbpm.security.token.secret.key:ZjE5ZjMxNmYtODViZC00ZTQ5LWIxZmYtOGEzYzE3Yjc1MDVk}")
                             String secretKey) {
@ -67,7 +64,7 @@ public class JwtTokenService {
      LOGGER.info("Token {} is expired ", token.getValue());
      return false;
    }
-    return true;
+    return EsiaTokensStore.validateAccessToken(token.getUserAccountId());
  }
  public Token getToken(String token) {
@ -79,17 +76,12 @@ public class JwtTokenService {
    return new Token(claims.getSubject(), claims.getIssuer(), claims.getExpiration(), token);
  }
  public String getErvuId() {
    String extractAuthToken = extractAuthToken(request);
    return getToken(extractAuthToken).getUserAccountId().split(":")[1];
  }
  public String getAccessToken(HttpServletRequest request) {
-    return TokensStore.getAccessToken(getUserAccountId(request));
+    return EsiaTokensStore.getAccessToken(getUserAccountId(request));
  }
  public String getRefreshToken(HttpServletRequest request) {
-    return TokensStore.getRefreshToken(getUserAccountId(request));
+    return EsiaTokensStore.getRefreshToken(getUserAccountId(request));
  }
  public String getUserAccountId(HttpServletRequest request) {