UY-1489 add private key validation to OAuth IdP editor

Author: ppiernik

engine/src/main/java/pl/edu/icm/unity/engine/endpoint/EndpointsUpdater.java

@@ -151,6 +151,7 @@ private EndpointInstance createEndpointInstance(Endpoint endpointInDB) throws En
 			return loader.createEndpointInstance(endpointInDB);
 		} catch (ConfigurationException e)
 		{
+			log.error("Can not create endpoint instance" ,e);
 			throw new EndpointConfigurationException(endpointInDB, e);
 		}
 	}

oauth/src/main/java/pl/edu/icm/unity/oauth/as/console/OAuthEditorGeneralTab.java

@@ -5,6 +5,23 @@
 
 package pl.edu.icm.unity.oauth.as.console;
 
+import static io.imunity.vaadin.elements.CSSVars.TEXT_FIELD_BIG;
+import static io.imunity.vaadin.elements.CSSVars.TEXT_FIELD_MEDIUM;
+import static io.imunity.vaadin.elements.CssClassNames.IDP_INFO_LAYOUT;
+import static io.imunity.vaadin.elements.CssClassNames.MEDIUM_VAADIN_FORM_ITEM_LABEL;
+
+import java.nio.charset.StandardCharsets;
+import java.security.PrivateKey;
+import java.security.interfaces.ECPrivateKey;
+import java.security.interfaces.RSAPrivateKey;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+import java.util.function.Consumer;
+import java.util.stream.Collectors;
+
 import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableSet;
 import com.nimbusds.jose.JWSAlgorithm;
@@ -31,19 +48,26 @@
 import com.vaadin.flow.data.binder.Binder;
 import com.vaadin.flow.data.binder.ValidationResult;
 import com.vaadin.flow.data.validator.IntegerRangeValidator;
+
 import eu.unicore.util.httpclient.ServerHostnameCheckingMode;
 import io.imunity.console.utils.tprofile.OutputTranslationProfileFieldFactory;
-import io.imunity.vaadin.elements.*;
-import io.imunity.vaadin.elements.grid.GridWithEditorInDetails;
-import io.imunity.vaadin.endpoint.common.api.HtmlTooltipFactory;
-import io.imunity.vaadin.endpoint.common.api.SubViewSwitcher;
 import io.imunity.vaadin.auth.services.DefaultServiceDefinition;
 import io.imunity.vaadin.auth.services.ServiceEditorBase;
 import io.imunity.vaadin.auth.services.ServiceEditorComponent;
+import io.imunity.vaadin.elements.CustomValuesMultiSelectComboBox;
+import io.imunity.vaadin.elements.EnumComboBox;
+import io.imunity.vaadin.elements.LocalizedTextFieldDetails;
+import io.imunity.vaadin.elements.NoSpaceValidator;
+import io.imunity.vaadin.elements.grid.GridWithEditorInDetails;
+import io.imunity.vaadin.endpoint.common.api.HtmlTooltipFactory;
+import io.imunity.vaadin.endpoint.common.api.SubViewSwitcher;
+import io.imunity.vaadin.endpoint.common.exceptions.FormValidationException;
+import pl.edu.icm.unity.base.exceptions.EngineException;
 import pl.edu.icm.unity.base.exceptions.WrongArgumentException;
 import pl.edu.icm.unity.base.i18n.I18nString;
 import pl.edu.icm.unity.base.identity.IdentityType;
 import pl.edu.icm.unity.base.message.MessageSource;
+import pl.edu.icm.unity.engine.api.PKIManagement;
 import pl.edu.icm.unity.engine.api.endpoint.EndpointPathValidator;
 import pl.edu.icm.unity.oauth.as.OAuthASProperties.AccessTokenFormat;
 import pl.edu.icm.unity.oauth.as.OAuthASProperties.RefreshTokenIssuePolicy;
@@ -52,17 +76,6 @@
 import pl.edu.icm.unity.oauth.as.OAuthSystemScopeProvider;
 import pl.edu.icm.unity.oauth.as.token.OAuthTokenEndpoint;
 import pl.edu.icm.unity.oauth.as.webauthz.OAuthAuthzWebEndpoint;
-import io.imunity.vaadin.endpoint.common.exceptions.FormValidationException;
-
-import java.nio.charset.StandardCharsets;
-import java.util.*;
-import java.util.function.Consumer;
-import java.util.stream.Collectors;
-
-import static io.imunity.vaadin.elements.CSSVars.TEXT_FIELD_BIG;
-import static io.imunity.vaadin.elements.CSSVars.TEXT_FIELD_MEDIUM;
-import static io.imunity.vaadin.elements.CssClassNames.IDP_INFO_LAYOUT;
-import static io.imunity.vaadin.elements.CssClassNames.MEDIUM_VAADIN_FORM_ITEM_LABEL;
 
 /**
  * OAuth service editor general tab
@@ -72,7 +85,8 @@
  */
 class OAuthEditorGeneralTab extends VerticalLayout implements ServiceEditorBase.EditorTab
 {
-	private MessageSource msg;
+	private final MessageSource msg;
+	private final PKIManagement pkiManagement;
 	private Binder<DefaultServiceDefinition> oauthWebAuthzBinder;
 	private Binder<DefaultServiceDefinition> oauthTokenBinder;
 	private Binder<OAuthServiceConfiguration> configBinder;
@@ -98,13 +112,14 @@ class OAuthEditorGeneralTab extends VerticalLayout implements ServiceEditorBase.
 	private Set<String> validators;
 	private final HtmlTooltipFactory htmlTooltipFactory;
 
-	OAuthEditorGeneralTab(MessageSource msg, HtmlTooltipFactory htmlTooltipFactory, String serverPrefix, Set<String> serverContextPaths,
+	OAuthEditorGeneralTab(MessageSource msg, PKIManagement pkiManagement, HtmlTooltipFactory htmlTooltipFactory, String serverPrefix, Set<String> serverContextPaths,
 			SubViewSwitcher subViewSwitcher, OutputTranslationProfileFieldFactory profileFieldFactory, boolean editMode,
 			Set<String> credentials, Collection<IdentityType> identityTypes, List<String> attrTypes,
 			List<String> usedEndpointsPaths, List<OAuthScope> systemScopes, Set<String> validators, Set<String> certificates)
 	{
 		this.msg = msg;
-
+		this.pkiManagement = pkiManagement;
+		
 		this.editMode = editMode;
 		this.credentials = credentials;
 		this.idTypes = identityTypes;
@@ -406,17 +421,7 @@ private Component buildHeaderSection()
 		credential.setItems(credentials);
 		configBinder.forField(credential)
 				.asRequired((v, c) ->
-				{
-					if (credential.isEnabled() && (v == null || v.isEmpty())
-							&& !Family.HMAC_SHA.contains(JWSAlgorithm.parse(signingAlg.getValue()
-									.toString())))
-					{
-						return ValidationResult.error(msg.getMessage("fieldRequired"));
-					}
-
-					return ValidationResult.ok();
-
-				})
+					validateCredential(v, credential.isEnabled(), signingAlg.getValue() != null ? signingAlg.getValue().toString() : null))
 				.bind("credential");
 
 		credential.setEnabled(false);
@@ -461,6 +466,51 @@ private Component buildHeaderSection()
 		return main;
 	}
 
+	private PrivateKey getPrivateKey(String cred) throws EngineException
+	{
+		return pkiManagement.getCredential(cred).getKey();	
+	}
+	
+	private ValidationResult validateCredential(String credential, boolean isEnabled,  String signingAlg)
+	{
+		if (signingAlg == null)
+		{
+			return ValidationResult.ok();
+		}
+		
+		if (isEnabled && (credential == null || credential.isEmpty())
+				&& !Family.HMAC_SHA.contains(JWSAlgorithm.parse(signingAlg)))
+		{
+			return ValidationResult.error(msg.getMessage("fieldRequired"));
+		}	
+		
+		PrivateKey pk;
+		try
+		{
+			pk = getPrivateKey(credential);
+		} catch (EngineException e1)
+		{
+			return ValidationResult.error(msg.getMessage("OAuthEditorGeneralTab.credentialError"));
+		}
+		if (pk == null)
+		{
+			return ValidationResult.error(msg.getMessage("OAuthEditorGeneralTab.credentialError"));
+		}
+		
+		if (!(pk instanceof RSAPrivateKey) && Family.RSA.contains(JWSAlgorithm.parse(signingAlg)))
+		{
+			return ValidationResult.error(msg.getMessage("OAuthEditorGeneralTab.privateKeyError", "RSA", "RS"));
+		}
+		
+		if (!(pk instanceof ECPrivateKey) && Family.EC.contains(JWSAlgorithm.parse(signingAlg)))
+		{
+			return ValidationResult.error(msg.getMessage("OAuthEditorGeneralTab.privateKeyError", "EC", "ES"));
+		}
+		
+
+		return ValidationResult.ok();
+	}
+	
 	private void refreshScope(boolean add, OIDCScopeValue value)
 	{
 		Optional<OAuthScopeBean> scope = configBinder.getBean()
@@ -626,6 +676,8 @@ private void refreshSigningControls()
 			credential.setEnabled(false);
 			signingAlg.setEnabled(false);
 		}
+		
+		configBinder.getBinding("credential").get().validate();
 
 	}
 

oauth/src/main/java/pl/edu/icm/unity/oauth/as/console/OAuthServiceConfiguration.java

@@ -15,6 +15,7 @@
 import pl.edu.icm.unity.base.group.Group;
 import pl.edu.icm.unity.base.message.MessageSource;
 import pl.edu.icm.unity.base.translation.TranslationProfile;
+import pl.edu.icm.unity.engine.api.PKIManagement;
 import pl.edu.icm.unity.engine.api.TranslationProfileManagement;
 import pl.edu.icm.unity.engine.api.idp.CommonIdPProperties;
 import pl.edu.icm.unity.engine.api.idp.IdpPolicyAgreementsConfiguration;
@@ -112,7 +113,7 @@ public OAuthServiceConfiguration(MessageSource msg, List<Group> allGroups, OAuth
 		trustedUpstreamAS = new ArrayList<>();
 	}
 
-	public String toProperties(MessageSource msg)
+	public String toProperties(MessageSource msg, PKIManagement pkiForValidation)
 	{
 		Properties raw = new Properties();
 
@@ -293,7 +294,7 @@ public String toProperties(MessageSource msg)
 					OAuthASProperties.P));
 		}
 
-		OAuthASProperties oauthProperties = new OAuthASProperties(raw);
+		OAuthASProperties oauthProperties = pkiForValidation != null ? new OAuthASProperties(raw, pkiForValidation, null) : new OAuthASProperties(raw);
 		return oauthProperties.getAsString();
 	}
 

oauth/src/main/java/pl/edu/icm/unity/oauth/as/console/OAuthServiceController.java

@@ -710,7 +710,7 @@ private List<String> getAllUsernames() throws EngineException
 	public ServiceEditor getEditor(SubViewSwitcher subViewSwitcher) throws EngineException
 	{
 
-		return new OAuthServiceEditor(msg, subViewSwitcher, outputTranslationProfileFieldFactory,
+		return new OAuthServiceEditor(msg, subViewSwitcher, outputTranslationProfileFieldFactory, pkiMan,
 				advertisedAddrProvider.get().toString(), server.getUsedContextPaths(), imageService, notificationPresenter,
 				fileStorageService, serverConfig,
 				realmsMan.getRealms().stream().map(r -> r.getName()).collect(Collectors.toList()),

oauth/src/main/java/pl/edu/icm/unity/oauth/as/console/OAuthServiceEditor.java

@@ -21,6 +21,7 @@
 import pl.edu.icm.unity.base.group.Group;
 import pl.edu.icm.unity.base.identity.IdentityType;
 import pl.edu.icm.unity.base.message.MessageSource;
+import pl.edu.icm.unity.engine.api.PKIManagement;
 import pl.edu.icm.unity.engine.api.authn.AuthenticatorInfo;
 import pl.edu.icm.unity.engine.api.authn.AuthenticatorSupportService;
 import pl.edu.icm.unity.engine.api.config.UnityServerConfiguration;
@@ -66,10 +67,12 @@ class OAuthServiceEditor implements ServiceEditor
 	private final Set<String> validators;
 	private final Set<String> certificates;
 	private final HtmlTooltipFactory htmlTooltipFactory;
+	private final PKIManagement pkiManagement;
 
 	OAuthServiceEditor(MessageSource msg, 
 			SubViewSwitcher subViewSwitcher,
 			OutputTranslationProfileFieldFactory outputTranslationProfileFieldFactory,
+			PKIManagement pkiManagement,
 			String serverPrefix,
 			Set<String> serverContextPaths,
 			VaadinLogoImageLoader imageService,
@@ -95,6 +98,7 @@ class OAuthServiceEditor implements ServiceEditor
 			Set<String> certificates, HtmlTooltipFactory htmlTooltipFactory)
 	{
 		this.msg = msg;
+		this.pkiManagement = pkiManagement;
 		this.notificationPresenter = notificationPresenter;
 		this.allRealms = allRealms;
 		this.authenticators = authenticators;
@@ -126,7 +130,7 @@ class OAuthServiceEditor implements ServiceEditor
 	@Override
 	public ServiceEditorComponent getEditor(ServiceDefinition endpoint)
 	{
-		OAuthEditorGeneralTab generalTab = new OAuthEditorGeneralTab(msg, htmlTooltipFactory, serverPrefix, serverContextPaths,
+		OAuthEditorGeneralTab generalTab = new OAuthEditorGeneralTab(msg, pkiManagement,  htmlTooltipFactory, serverPrefix, serverContextPaths,
 				subViewSwitcher, outputTranslationProfileFieldFactory, endpoint != null, credentials, idTypes,
 				allAttributes, usedPaths, scopeService.getSystemScopes(), validators, certificates);
 		OAuthEditorClientsTab clientsTab = new OAuthEditorClientsTab(msg, serverConfig,
@@ -141,7 +145,7 @@ public ServiceEditorComponent getEditor(ServiceDefinition endpoint)
 
 		PolicyAgreementsTab policyAgreementTab = new PolicyAgreementsTab(msg, policyDocuments);
 
-		editor = new OAuthServiceEditorComponent(msg, generalTab, clientsTab, usersTab, webAuthTab, policyAgreementTab,
+		editor = new OAuthServiceEditorComponent(msg, pkiManagement, generalTab, clientsTab, usersTab, webAuthTab, policyAgreementTab,
 				fileStorageService, imageService, scopeService, endpoint, allGroups, systemClientsSupplier);
 		return editor;
 	}

oauth/src/main/java/pl/edu/icm/unity/oauth/as/console/OAuthServiceEditorComponent.java

@@ -6,6 +6,8 @@
 package pl.edu.icm.unity.oauth.as.console;
 
 import com.vaadin.flow.data.binder.Binder;
+
+import eu.unicore.util.configuration.ConfigurationException;
 import io.imunity.vaadin.auth.services.DefaultServiceDefinition;
 import io.imunity.vaadin.auth.services.ServiceDefinition;
 import io.imunity.vaadin.auth.services.ServiceEditorBase;
@@ -19,6 +21,7 @@
 import pl.edu.icm.unity.base.group.Group;
 import pl.edu.icm.unity.base.i18n.I18nString;
 import pl.edu.icm.unity.base.message.MessageSource;
+import pl.edu.icm.unity.engine.api.PKIManagement;
 import pl.edu.icm.unity.engine.api.files.FileStorageService;
 import pl.edu.icm.unity.oauth.as.OAuthScopesService;
 import pl.edu.icm.unity.oauth.as.console.OAuthClient.OAuthClientsBean;
@@ -46,17 +49,19 @@ class OAuthServiceEditorComponent extends ServiceEditorBase
 	private final Binder<ServiceWebConfiguration> webConfigBinder;
 	private final Binder<OAuthClientsBean> clientsBinder;
 	private final FileStorageService fileStorageService;
+	private final PKIManagement pkiManagement;
 	private final Group generatedIdPGroup;
 	private final boolean editMode;
 
-	OAuthServiceEditorComponent(MessageSource msg, OAuthEditorGeneralTab generalTab, OAuthEditorClientsTab clientsTab,
+	OAuthServiceEditorComponent(MessageSource msg, PKIManagement pkiMan, OAuthEditorGeneralTab generalTab, OAuthEditorClientsTab clientsTab,
 			IdpEditorUsersTab usersTab, WebServiceAuthenticationTab webAuthTab, PolicyAgreementsTab policyAgreementTab,
 			FileStorageService fileStorageService, VaadinLogoImageLoader imageAccessService,
 			OAuthScopesService scopeService, ServiceDefinition toEdit,
 			List<Group> allGroups, Function<String, List<OAuthClient>> systemClientsSupplier)
 	{
 		super(msg);
 		this.fileStorageService = fileStorageService;
+		this.pkiManagement = pkiMan;
 		editMode = toEdit != null;
 		oauthServiceWebAuthzBinder = new Binder<>(DefaultServiceDefinition.class);
 		oauthConfigBinder = new Binder<>(OAuthServiceConfiguration.class);
@@ -193,13 +198,21 @@ ServiceDefinition getServiceDefiniton() throws FormValidationException
 		}
 
 		DefaultServiceDefinition webAuthz = oauthServiceWebAuthzBinder.getBean();
-		VaadinEndpointProperties prop = new VaadinEndpointProperties(
-				webConfigBinder.getBean().toProperties(msg, fileStorageService, webAuthz.getName()));
-		webAuthz.setConfiguration(oauthConfigBinder.getBean().toProperties(msg) + "\n" + prop.getAsString());
-
-		DefaultServiceDefinition token = oauthServiceTokenBinder.getBean();
-		token.setConfiguration(oauthConfigBinder.getBean().toProperties(msg));
-
+		DefaultServiceDefinition token;
+		try
+		{
+			VaadinEndpointProperties prop = new VaadinEndpointProperties(webConfigBinder.getBean()
+					.toProperties(msg, fileStorageService, webAuthz.getName()));
+			webAuthz.setConfiguration(oauthConfigBinder.getBean()
+					.toProperties(msg, pkiManagement) + "\n" + prop.getAsString());
+
+			token = oauthServiceTokenBinder.getBean();
+			token.setConfiguration(oauthConfigBinder.getBean()
+					.toProperties(msg, pkiManagement));
+		} catch (ConfigurationException e)
+		{
+			throw new FormValidationException(e.getMessage());
+		}
 		if (token.getName() == null || token.getName().isEmpty())
 		{
 			token.setName(webAuthz.getName() + TOKEN_SERVICE_NAME_SUFFIX);

oauth/src/main/resources/messages/oauth/messages.properties

@@ -182,6 +182,9 @@ OAuthEditorGeneralTab.refreshTokenIssuePolicy=Refresh token issue policy:
 OAuthEditorGeneralTab.refreshTokenIssuePolicy.NEVER=Never
 OAuthEditorGeneralTab.refreshTokenIssuePolicy.ALWAYS=Always
 OAuthEditorGeneralTab.refreshTokenIssuePolicy.OFFLINE_SCOPE_BASED=Offline scope based
+OAuthEditorGeneralTab.privateKeyError=The private key must be {0} if one of {1} signingAlgorithm is used 
+OAuthEditorGeneralTab.credentialError=Invalid credential
+
 
 OAuthEditorGeneralTab.importantURLs=Important URLs:
 OAuthEditorGeneralTab.tokenEndpointPath=Token Endpoint: