Merge pull request #381 from kbase/develop

Develop -> Master (Release 0.5.0)

Author: MrCreosote

Dockerfile

@@ -1,12 +1,20 @@
+FROM kbase/sdkbase2 as build
+
+COPY . /tmp/auth2
+RUN cd /tmp \
+    && git clone https://github.com/kbase/jars \
+    && cd auth2 \
+    && ant buildwar
+
 FROM kbase/kb_jre:latest
 
 # These ARGs values are passed in via the docker build command
 ARG BUILD_DATE
 ARG VCS_REF
 ARG BRANCH=develop
 
-COPY deployment/ /kb/deployment/
-COPY jettybase/ /kb/deployment/jettybase/
+COPY --from=build /tmp/auth2/deployment/ /kb/deployment/
+COPY --from=build /tmp/auth2/jettybase/ /kb/deployment/jettybase/
 
 # The BUILD_DATE value seem to bust the docker cache when the timestamp changes, move to
 # the end

RELEASE_NOTES.md

@@ -1,6 +1,18 @@
 Authentication Service MKII release notes
 =========================================
 
+0.5.0
+-----
+
+* BACKWARDS INCOMPATIBILITY - any in flight login or link flows will fail after the server is
+  upgraded to 0.5.0.
+* ADMIN ACTION REQUIRED - before starting the upgraded server, remove all data from the `tempdata`
+  collection to avoid server errors for in flight login or link flows.
+* Added PKCE to the login and link OAuth2 flows for Google and Globus.
+  * See https://www.oauth.com/oauth2-servers/pkce/ for details.
+  * OrcID currently does not support PKCE, see https://github.com/ORCID/ORCID-Source/issues/5977
+* The OAuth2 state value is now stored in the database rather than in a cookie.
+
 0.4.3
 -----
 

TODO.md

@@ -3,6 +3,7 @@ Auth2 TODO list
 
 Auth service work
 -----------------
+* When OrcID supports PKCE, implement: https://github.com/ORCID/ORCID-Source/issues/5977
 * Include users's identities in admin user view
 * Complete rich UI (code not in this repo)
   * Currently only covers login, link, me, and tokens.

build.xml

@@ -216,13 +216,6 @@
     </copy>
   </target>
 
-  <target name="docker_image" depends="buildwar" description="build the docker image">
-    <!-- make the docker image that for auth2 -->
-    <exec executable="./build/build_docker_image.sh">
-    </exec>
-
-  </target>
-
   <target name="javadoc" description="build javadocs">
     <javadoc access="protected"
              author="false"
@@ -336,6 +329,7 @@
         <test name="us.kbase.test.auth2.lib.LoginTokenTest"/>
         <test name="us.kbase.test.auth2.lib.LoginStateTest"/>
         <test name="us.kbase.test.auth2.lib.NameTest"/>
+        <test name="us.kbase.test.auth2.lib.OAuth2StartDataTest"/>
         <test name="us.kbase.test.auth2.lib.PasswordHashAndSaltTest"/>
         <test name="us.kbase.test.auth2.lib.PasswordTest"/>
         <test name="us.kbase.test.auth2.lib.PolicyIDTest"/>

src/us/kbase/auth2/cryptutils/RandomDataGenerator.java

@@ -12,6 +12,13 @@ public interface RandomDataGenerator {
 	 * @return a token.
 	 */
 	String getToken();
+	
+	
+	/** Generate a random token encoded in Base32 in multiples of 40 bits / 8 characters.
+	 * @param sizeMultiple the size of the token in 40 bit / 8 character increments.
+	 * @return a token.
+	 */
+	String getToken(int sizeMultiple);
 
 	/** Generate a random password consisting of upper and lower case ascii letters excluding
 	 * lower case l and o and uppercase I and O, digits excluding one and zero, and the symbols

src/us/kbase/auth2/cryptutils/SHA1RandomDataGenerator.java

@@ -34,7 +34,15 @@ public SHA1RandomDataGenerator() throws NoSuchAlgorithmException {
 
 	@Override
 	public String getToken() {
-		final byte[] b = new byte[20]; //160 bits so 32 b32 chars
+		return getToken(4); //160 bits so 32 b32 chars
+	}
+	
+	@Override
+	public String getToken(final int sizeMultiple) {
+		if (sizeMultiple < 1) {
+			throw new IllegalArgumentException("sizeMultiple must be > 0");
+		}
+		final byte[] b = new byte[sizeMultiple * 5]; // 40 bits / 8 b32 chars per sizeMultiple
 		random.nextBytes(b);
 		return new Base32().encodeAsString(b);
 	}

src/us/kbase/auth2/kbase/KBaseAuthConfig.java

@@ -9,15 +9,14 @@
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Map;
+import java.util.Optional;
 import java.util.Set;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 import org.ini4j.Ini;
 import org.slf4j.LoggerFactory;
 
-import com.google.common.base.Optional;
-
 import us.kbase.auth2.lib.identity.IdentityProviderConfig;
 import us.kbase.auth2.lib.identity.IdentityProviderConfig.Builder;
 import us.kbase.auth2.lib.identity.IdentityProviderConfig.IdentityProviderConfigurationException;
@@ -99,8 +98,8 @@ public KBaseAuthConfig(final Path filepath, final boolean nullLogger)
 			templateDir = Paths.get(getString(KEY_TEMPLATE_DIR, cfg, true));
 			mongoHost = getString(KEY_MONGO_HOST, cfg, true);
 			mongoDB = getString(KEY_MONGO_DB, cfg, true);
-			mongoUser = Optional.fromNullable(getString(KEY_MONGO_USER, cfg));
-			Optional<String> mongop = Optional.fromNullable(getString(KEY_MONGO_PWD, cfg));
+			mongoUser = Optional.ofNullable(getString(KEY_MONGO_USER, cfg));
+			Optional<String> mongop = Optional.ofNullable(getString(KEY_MONGO_PWD, cfg));
 			if (mongoUser.isPresent() ^ mongop.isPresent()) {
 				mongop = null; //GC
 				throw new AuthConfigurationException(String.format(
@@ -109,7 +108,7 @@ public KBaseAuthConfig(final Path filepath, final boolean nullLogger)
 						KEY_MONGO_USER, KEY_MONGO_PWD, cfg.get(TEMP_KEY_CFG_FILE), CFG_LOC));
 			}
 			mongoPwd = mongop.isPresent() ?
-					Optional.of(mongop.get().toCharArray()) : Optional.absent();
+					Optional.of(mongop.get().toCharArray()) : Optional.empty();
 			mongop = null; //GC
 			cookieName = getString(KEY_COOKIE_NAME, cfg, true);
 			environmentHeader = getEnvironmentHeader(cfg);