JDBC implementation of RegisteredClientRepository

Author: rlewczuk

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/client/JdbcRegisteredClientRepository.java

@@ -0,0 +1,283 @@
+/*
+ * Copyright 2020-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.client;
+
+import org.springframework.jdbc.core.*;
+import org.springframework.jdbc.support.lob.DefaultLobHandler;
+import org.springframework.jdbc.support.lob.LobCreator;
+import org.springframework.jdbc.support.lob.LobHandler;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
+import org.springframework.security.oauth2.server.authorization.config.ClientSettings;
+import org.springframework.security.oauth2.server.authorization.config.TokenSettings;
+import org.springframework.util.Assert;
+
+import java.nio.charset.StandardCharsets;
+import java.sql.*;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.*;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+
+/**
+ * JDBC-backed registered client repository
+ *
+ * @author Rafal Lewczuk
+ * @since 0.1.2
+ */
+public class JdbcRegisteredClientRepository implements RegisteredClientRepository {
+
+	private static final Map<String, AuthorizationGrantType> AUTHORIZATION_GRANT_TYPE_MAP;
+	private static final Map<String, ClientAuthenticationMethod> CLIENT_AUTHENTICATION_METHOD_MAP;
+
+	private static final String COLUMN_NAMES = "id, "
+			+ "client_id, "
+			+ "client_id_issued_at, "
+			+ "client_secret, "
+			+ "client_secret_expires_at, "
+			+ "client_name, "
+			+ "client_authentication_methods, "
+			+ "authorization_grant_types, "
+			+ "redirect_uris, "
+			+ "scopes, "
+			+ "require_proof_key, "
+			+ "require_user_consent, "
+			+ "access_token_ttl, "
+			+ "reuse_refresh_tokens, "
+			+ "refresh_token_ttl";
+
+	private static final String TABLE_NAME = "oauth2_registered_client";
+
+	private static final String LOAD_REGISTERED_CLIENT_SQL = "SELECT " + COLUMN_NAMES + " FROM " + TABLE_NAME + " WHERE ";
+
+	private static final String INSERT_REGISTERED_CLIENT_SQL = "INSERT INTO " + TABLE_NAME
+			+ "(" + COLUMN_NAMES + ") values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
+
+	private RowMapper<RegisteredClient> registeredClientRowMapper;
+
+	private Function<RegisteredClient, List<SqlParameterValue>> registeredClientParametersMapper;
+
+	private final JdbcOperations jdbcOperations;
+
+	private final LobHandler lobHandler = new DefaultLobHandler();
+
+	public JdbcRegisteredClientRepository(JdbcOperations jdbcOperations) {
+		Assert.notNull(jdbcOperations, "jdbcOperations cannot be null");
+		this.jdbcOperations = jdbcOperations;
+		this.registeredClientRowMapper = new DefaultRegisteredClientRowMapper();
+		this.registeredClientParametersMapper = new DefaultRegisteredClientParametersMapper();
+	}
+
+	/**
+	 * Allows changing of {@link RegisteredClient} row mapper implementation
+	 *
+	 * @param registeredClientRowMapper mapper implementation
+	 */
+	public void setRegisteredClientRowMapper(RowMapper<RegisteredClient> registeredClientRowMapper) {
+		Assert.notNull(registeredClientRowMapper, "registeredClientRowMapper cannot be null");
+		this.registeredClientRowMapper = registeredClientRowMapper;
+	}
+
+	/**
+	 * Allows changing of SQL parameter mapper for {@link RegisteredClient}
+	 *
+	 * @param registeredClientParametersMapper mapper implementation
+	 */
+	public void setRegisteredClientParametersMapper(Function<RegisteredClient, List<SqlParameterValue>> registeredClientParametersMapper) {
+		Assert.notNull(registeredClientParametersMapper, "registeredClientParameterMapper cannot be null");
+		this.registeredClientParametersMapper = registeredClientParametersMapper;
+	}
+
+	@Override
+	public void save(RegisteredClient registeredClient) {
+		Assert.notNull(registeredClient, "registeredClient cannot be null");
+		RegisteredClient foundClient = this.findBy("id = ? OR client_id = ? OR client_secret = ?",
+				registeredClient.getId(), registeredClient.getClientId(),
+				registeredClient.getClientSecret().getBytes(StandardCharsets.UTF_8));
+
+		if (null != foundClient) {
+			Assert.isTrue(!foundClient.getId().equals(registeredClient.getId()),
+					"Registered client must be unique. Found duplicate identifier: " + registeredClient.getId());
+			Assert.isTrue(!foundClient.getClientId().equals(registeredClient.getClientId()),
+					"Registered client must be unique. Found duplicate client identifier: " + registeredClient.getClientId());
+			Assert.isTrue(!foundClient.getClientSecret().equals(registeredClient.getClientSecret()),
+					"Registered client must be unique. Found duplicate client secret for identifier: " + registeredClient.getId());
+		}
+
+		List<SqlParameterValue> parameters = this.registeredClientParametersMapper.apply(registeredClient);
+
+		try (LobCreator lobCreator = this.lobHandler.getLobCreator()) {
+			PreparedStatementSetter pss = new LobCreatorArgumentPreparedStatementSetter(lobCreator, parameters.toArray());
+			jdbcOperations.update(INSERT_REGISTERED_CLIENT_SQL, pss);
+		}
+	}
+
+	@Override
+	public RegisteredClient findById(String id) {
+		Assert.hasText(id, "id cannot be empty");
+		return findBy("id = ?", id);
+	}
+
+	@Override
+	public RegisteredClient findByClientId(String clientId) {
+		Assert.hasText(clientId, "clientId cannot be empty");
+		return findBy("client_id = ?", clientId);
+	}
+
+	private RegisteredClient findBy(String condStr, Object...args) {
+		List<RegisteredClient> lst = jdbcOperations.query(
+				LOAD_REGISTERED_CLIENT_SQL + condStr,
+				registeredClientRowMapper, args);
+		return !lst.isEmpty() ? lst.get(0) : null;
+	}
+
+	private static class DefaultRegisteredClientRowMapper implements RowMapper<RegisteredClient> {
+
+		private final LobHandler lobHandler = new DefaultLobHandler();
+
+		private Collection<String> parseList(String s) {
+			return s != null ? Arrays.asList(s.split("\\|")) : Collections.emptyList();
+		}
+
+		@Override
+		public RegisteredClient mapRow(ResultSet rs, int rowNum) throws SQLException {
+			Collection<String> scopes = parseList(rs.getString("scopes"));
+			List<AuthorizationGrantType> authGrantTypes = parseList(rs.getString("authorization_grant_types"))
+					.stream().map(AUTHORIZATION_GRANT_TYPE_MAP::get).collect(Collectors.toList());
+			List<ClientAuthenticationMethod> clientAuthMethods = parseList(rs.getString("client_authentication_methods"))
+					.stream().map(CLIENT_AUTHENTICATION_METHOD_MAP::get).collect(Collectors.toList());
+			Collection<String> redirectUris = parseList(rs.getString("redirect_uris"));
+			Timestamp clientIssuedAt = rs.getTimestamp("client_id_issued_at");
+			Timestamp clientSecretExpiresAt = rs.getTimestamp("client_secret_expires_at");
+			byte[] clientSecretBytes = this.lobHandler.getBlobAsBytes(rs, "client_secret");
+			String clientSecret = clientSecretBytes != null ? new String(clientSecretBytes, StandardCharsets.UTF_8) : null;
+			RegisteredClient.Builder builder = RegisteredClient
+					.withId(rs.getString("id"))
+					.clientId(rs.getString("client_id"))
+					.clientIdIssuedAt(clientIssuedAt != null ? clientIssuedAt.toInstant() : null)
+					.clientSecret(clientSecret)
+					.clientSecretExpiresAt(clientSecretExpiresAt != null ? clientSecretExpiresAt.toInstant() : null)
+					.clientName(rs.getString("client_name"))
+					.clientAuthenticationMethods(coll -> coll.addAll(clientAuthMethods))
+					.authorizationGrantTypes(coll -> coll.addAll(authGrantTypes))
+					.redirectUris(coll -> coll.addAll(redirectUris))
+					.scopes(coll -> coll.addAll(scopes));
+
+			RegisteredClient rc = builder.build();
+
+			TokenSettings ts = rc.getTokenSettings();
+			ts.accessTokenTimeToLive(Duration.ofMillis(rs.getLong("access_token_ttl")));
+			ts.refreshTokenTimeToLive(Duration.ofMillis(rs.getLong("refresh_token_ttl")));
+			ts.reuseRefreshTokens(rs.getBoolean("reuse_refresh_tokens"));
+
+			ClientSettings cs = rc.getClientSettings();
+			cs.requireProofKey(rs.getBoolean("require_proof_key"));
+			cs.requireUserConsent(rs.getBoolean("require_user_consent"));
+
+			return rc;
+		}
+	}
+
+	private static class DefaultRegisteredClientParametersMapper implements Function<RegisteredClient, List<SqlParameterValue>> {
+		@Override
+		public List<SqlParameterValue> apply(RegisteredClient registeredClient) {
+
+			List<String> clientAuthenticationMethodNames = new ArrayList<>(registeredClient.getClientAuthenticationMethods().size());
+			for (ClientAuthenticationMethod clientAuthenticationMethod : registeredClient.getClientAuthenticationMethods()) {
+				clientAuthenticationMethodNames.add(clientAuthenticationMethod.getValue());
+			}
+
+			List<String> authorizationGrantTypeNames = new ArrayList<>(registeredClient.getAuthorizationGrantTypes().size());
+			for (AuthorizationGrantType authorizationGrantType : registeredClient.getAuthorizationGrantTypes()) {
+				authorizationGrantTypeNames.add(authorizationGrantType.getValue());
+			}
+
+			Instant issuedAt = registeredClient.getClientIdIssuedAt() != null ?
+					registeredClient.getClientIdIssuedAt() : Instant.now();
+
+			Timestamp clientSecretExpiresAt = registeredClient.getClientSecretExpiresAt() != null ?
+					Timestamp.from(registeredClient.getClientSecretExpiresAt()) : null;
+
+			return Arrays.asList(
+					new SqlParameterValue(Types.VARCHAR, registeredClient.getId()),
+					new SqlParameterValue(Types.VARCHAR, registeredClient.getClientId()),
+					new SqlParameterValue(Types.TIMESTAMP, Timestamp.from(issuedAt)),
+					new SqlParameterValue(Types.BLOB, registeredClient.getClientSecret().getBytes(StandardCharsets.UTF_8)),
+					new SqlParameterValue(Types.TIMESTAMP, clientSecretExpiresAt),
+					new SqlParameterValue(Types.VARCHAR, registeredClient.getClientName()),
+					new SqlParameterValue(Types.VARCHAR, String.join("|", clientAuthenticationMethodNames)),
+					new SqlParameterValue(Types.VARCHAR, String.join("|", authorizationGrantTypeNames)),
+					new SqlParameterValue(Types.VARCHAR, String.join("|", registeredClient.getRedirectUris())),
+					new SqlParameterValue(Types.VARCHAR, String.join("|", registeredClient.getScopes())),
+					new SqlParameterValue(Types.BOOLEAN, registeredClient.getClientSettings().requireProofKey()),
+					new SqlParameterValue(Types.BOOLEAN, registeredClient.getClientSettings().requireUserConsent()),
+					new SqlParameterValue(Types.NUMERIC, registeredClient.getTokenSettings().accessTokenTimeToLive().toMillis()),
+					new SqlParameterValue(Types.BOOLEAN, registeredClient.getTokenSettings().reuseRefreshTokens()),
+					new SqlParameterValue(Types.NUMERIC, registeredClient.getTokenSettings().refreshTokenTimeToLive().toMillis()));
+		}
+	}
+
+	private static final class LobCreatorArgumentPreparedStatementSetter extends ArgumentPreparedStatementSetter {
+
+		protected final LobCreator lobCreator;
+
+		private LobCreatorArgumentPreparedStatementSetter(LobCreator lobCreator, Object[] args) {
+			super(args);
+			this.lobCreator = lobCreator;
+		}
+
+		@Override
+		protected void doSetValue(PreparedStatement ps, int parameterPosition, Object argValue) throws SQLException {
+			if (argValue instanceof SqlParameterValue) {
+				SqlParameterValue paramValue = (SqlParameterValue) argValue;
+				if (paramValue.getSqlType() == Types.BLOB) {
+					if (paramValue.getValue() != null) {
+						Assert.isInstanceOf(byte[].class, paramValue.getValue(),
+								"Value of blob parameter must be byte[]");
+					}
+					byte[] valueBytes = (byte[]) paramValue.getValue();
+					this.lobCreator.setBlobAsBytes(ps, parameterPosition, valueBytes);
+					return;
+				}
+			}
+			super.doSetValue(ps, parameterPosition, argValue);
+		}
+
+	}
+
+	static {
+		Map<String, AuthorizationGrantType> am = new HashMap<>();
+		for (AuthorizationGrantType a : Arrays.asList(
+				AuthorizationGrantType.AUTHORIZATION_CODE,
+				AuthorizationGrantType.REFRESH_TOKEN,
+				AuthorizationGrantType.CLIENT_CREDENTIALS,
+				AuthorizationGrantType.PASSWORD,
+				AuthorizationGrantType.IMPLICIT)) {
+			am.put(a.getValue(), a);
+		}
+		AUTHORIZATION_GRANT_TYPE_MAP = Collections.unmodifiableMap(am);
+
+		Map<String, ClientAuthenticationMethod> cm = new HashMap<>();
+		for (ClientAuthenticationMethod c : Arrays.asList(
+				ClientAuthenticationMethod.NONE,
+				ClientAuthenticationMethod.BASIC,
+				ClientAuthenticationMethod.POST)) {
+			cm.put(c.getValue(), c);
+		}
+		CLIENT_AUTHENTICATION_METHOD_MAP = Collections.unmodifiableMap(cm);
+	}
+}

oauth2-authorization-server/src/main/resources/org/springframework/security/oauth2/server/authorization/client/oauth2_registered_client.sql

@@ -0,0 +1,17 @@
+CREATE TABLE oauth2_registered_client (
+    id varchar(100) NOT NULL,
+    client_id varchar(100) NOT NULL,
+    client_id_issued_at timestamp DEFAULT CURRENT_TIMESTAMP NOT NULL,
+    client_secret blob NOT NULL,
+    client_secret_expires_at timestamp DEFAULT NULL,
+    client_name varchar(200),
+    client_authentication_methods varchar(1000) NOT NULL,
+    authorization_grant_types varchar(1000) NOT NULL,
+    redirect_uris varchar(1000) NOT NULL,
+    scopes varchar(1000) NOT NULL,
+    require_proof_key boolean NOT NULL,
+    require_user_consent boolean NOT NULL,
+    access_token_ttl integer DEFAULT 300000 NOT NULL,
+    reuse_refresh_tokens boolean DEFAULT true NOT NULL,
+    refresh_token_ttl integer DEFAULT 600000 NOT NULL,
+    PRIMARY KEY (id));