JDBC implementation of RegisteredClientRepository

Author: rlewczuk

gradle/dependency-management.gradle

@@ -32,5 +32,6 @@ dependencyManagement {
 		dependency "com.squareup.okhttp3:mockwebserver:3.14.9"
 		dependency "com.squareup.okhttp3:okhttp:3.14.9"
 		dependency "com.jayway.jsonpath:json-path:2.4.0"
+		dependency "org.hsqldb:hsqldb:2.5.+"
 	}
 }

oauth2-authorization-server/spring-security-oauth2-authorization-server.gradle

@@ -10,13 +10,18 @@ dependencies {
 	compile 'com.nimbusds:nimbus-jose-jwt'
 	compile 'com.fasterxml.jackson.core:jackson-databind'
 
+	optional 'org.springframework:spring-jdbc'
+	optional 'org.springframework:spring-tx'
+
 	testCompile 'org.springframework.security:spring-security-test'
 	testCompile 'org.springframework:spring-webmvc'
 	testCompile 'junit:junit'
 	testCompile 'org.assertj:assertj-core'
 	testCompile 'org.mockito:mockito-core'
 	testCompile 'com.jayway.jsonpath:json-path'
 
+	testRuntime 'org.hsqldb:hsqldb'
+
 	provided 'javax.servlet:javax.servlet-api'
 }
 

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/client/JdbcRegisteredClientRepository.java

@@ -0,0 +1,257 @@
+/*
+ * Copyright 2020-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.client;
+
+import org.springframework.jdbc.core.*;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
+import org.springframework.security.oauth2.server.authorization.config.ClientSettings;
+import org.springframework.security.oauth2.server.authorization.config.TokenSettings;
+import org.springframework.util.Assert;
+
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Timestamp;
+import java.sql.Types;
+import java.time.Duration;
+import java.util.*;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+
+/**
+ * JDBC-backed registered client repository
+ *
+ * @author Rafal Lewczuk
+ * @since 0.1.2
+ */
+public class JdbcRegisteredClientRepository implements RegisteredClientRepository {
+
+	private static final Map<String, AuthorizationGrantType> AUTHORIZATION_GRANT_TYPE_MAP;
+	private static final Map<String, ClientAuthenticationMethod> CLIENT_AUTHENTICATION_METHOD_MAP;
+
+	private static final String COLUMN_NAMES = "id, "
+			+ "client_id, "
+			+ "client_id_issued_at, "
+			+ "client_secret, "
+			+ "client_secret_expires_at, "
+			+ "client_name, "
+			+ "client_authentication_methods, "
+			+ "authorization_grant_types, "
+			+ "redirect_uris, "
+			+ "scopes, "
+			+ "require_proof_key, "
+			+ "require_user_consent, "
+			+ "access_token_ttl, "
+			+ "reuse_refresh_tokens, "
+			+ "refresh_token_ttl";
+
+	private static final String TABLE_NAME = "oauth2_registered_client";
+
+	private static final String LOAD_REGISTERED_CLIENT_SQL = "SELECT " + COLUMN_NAMES + " FROM " + TABLE_NAME + " WHERE ";
+
+	private static final String INSERT_REGISTERED_CLIENT_SQL = "INSERT INTO " + TABLE_NAME
+			+ "(" + COLUMN_NAMES + ") values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
+
+	protected RowMapper<RegisteredClient> registeredClientRowMapper;
+
+	protected Function<RegisteredClient, List<SqlParameterValue>> registeredClientParameterMapper;
+
+	protected Function<String, Collection<String>> listParser;
+
+	protected Function<Collection<String>, String> listFormatter;
+
+	protected JdbcOperations jdbcOperations;
+
+	public JdbcRegisteredClientRepository(JdbcOperations jdbcOperations) {
+		Assert.notNull(jdbcOperations, "jdbcOperations cannot be null");
+		this.jdbcOperations = jdbcOperations;
+		this.registeredClientRowMapper = this::defaultRegisteredClientRowMapper;
+		this.registeredClientParameterMapper = this::defaultRegisteredClientParameterMapper;
+		this.listParser = this::defaultListParse;
+		this.listFormatter = this::defaultListFormat;
+	}
+
+	/**
+	 * Allows changing of {@link RegisteredClient} row mapper implementation
+	 *
+	 * @param registeredClientRowMapper mapper implementation
+	 */
+	public void setRegisteredClientRowMapper(RowMapper<RegisteredClient> registeredClientRowMapper) {
+		Assert.notNull(registeredClientRowMapper, "registeredClientRowMapper cannot be null");
+		this.registeredClientRowMapper = registeredClientRowMapper;
+	}
+
+	/**
+	 * Allows changing of SQL parameter mapper for {@link RegisteredClient}
+	 *
+	 * @param registeredClientParameterMapper mapper implementation
+	 */
+	public void setRegisteredClientParameterMapper(Function<RegisteredClient, List<SqlParameterValue>> registeredClientParameterMapper) {
+		Assert.notNull(registeredClientParameterMapper, "registeredClientParameterMapper cannot be null");
+		this.registeredClientParameterMapper = registeredClientParameterMapper;
+	}
+
+	/**
+	 * Allows changing format of list attributes of {@link RegisteredClient}
+	 *
+	 * @param listParser new list parser function
+	 */
+	public void setListParser(Function<String, Collection<String>> listParser) {
+		Assert.notNull(listParser, "listParser cannot be null");
+		this.listParser = listParser;
+	}
+
+	/**
+	 * Allows changing format of list attributes of {@link RegisteredClient}
+	 *
+	 * @param listFormatter new list formatter function
+	 */
+	public void setListFormatter(Function<Collection<String>, String> listFormatter) {
+		Assert.notNull(listFormatter, "listFormatter cannot be null");
+		this.listFormatter = listFormatter;
+	}
+
+	@Override
+	public void save(RegisteredClient registeredClient) {
+		Assert.notNull(registeredClient, "registeredClient cannot be null");
+		RegisteredClient foundClient = this.findBy("id = ? OR client_id = ? OR client_secret = ?",
+				registeredClient.getId(), registeredClient.getClientId(), registeredClient.getClientSecret());
+
+		if (null != foundClient) {
+			Assert.isTrue(!foundClient.getId().equals(registeredClient.getId()),
+					"Registered client must be unique. Found duplicate identifier: " + registeredClient.getId());
+			Assert.isTrue(!foundClient.getClientId().equals(registeredClient.getClientId()),
+					"Registered client must be unique. Found duplicate client identifier: " + registeredClient.getClientId());
+			Assert.isTrue(!foundClient.getClientSecret().equals(registeredClient.getClientSecret()),
+					"Registered client must be unique. Found duplicate client secret for identifier: " + registeredClient.getId());
+		}
+
+		List<SqlParameterValue> parameters = this.registeredClientParameterMapper.apply(registeredClient);
+		PreparedStatementSetter pss = new ArgumentPreparedStatementSetter(parameters.toArray());
+		jdbcOperations.update(INSERT_REGISTERED_CLIENT_SQL, pss);
+	}
+
+	@Override
+	public RegisteredClient findById(String id) {
+		Assert.hasText(id, "id cannot be empty");
+		return findBy("id = ?", id);
+	}
+
+	@Override
+	public RegisteredClient findByClientId(String clientId) {
+		Assert.hasText(clientId, "clientId cannot be empty");
+		return findBy("client_id = ?", clientId);
+	}
+
+	private RegisteredClient findBy(String condStr, Object...args) {
+		List<RegisteredClient> lst = jdbcOperations.query(
+				LOAD_REGISTERED_CLIENT_SQL + condStr,
+				registeredClientRowMapper, args);
+		return lst.size() == 1 ? lst.get(0) : null;
+	}
+
+	private RegisteredClient defaultRegisteredClientRowMapper(ResultSet rs, int rownum) throws SQLException {
+		Collection<String> scopes = listParser.apply(rs.getString("scopes"));
+		List<AuthorizationGrantType> authGrantTypes = listParser.apply(rs.getString("authorization_grant_types"))
+				.stream().map(AUTHORIZATION_GRANT_TYPE_MAP::get).collect(Collectors.toList());
+		List<ClientAuthenticationMethod> clientAuthMethods = listParser.apply(rs.getString("client_authentication_methods"))
+				.stream().map(CLIENT_AUTHENTICATION_METHOD_MAP::get).collect(Collectors.toList());
+		Collection<String> redirectUris = listParser.apply(rs.getString("redirect_uris"));
+		Timestamp clientIssuedAt = rs.getTimestamp("client_id_issued_at");
+		Timestamp clientSecretExpiresAt = rs.getTimestamp("client_secret_expires_at");
+		RegisteredClient.Builder builder = RegisteredClient
+				.withId(rs.getString("id"))
+				.clientId(rs.getString("client_id"))
+				.clientIdIssuedAt(clientIssuedAt != null ? clientIssuedAt.toInstant() : null)
+				.clientSecret(rs.getString("client_secret"))
+				.clientSecretExpiresAt(clientSecretExpiresAt != null ? clientSecretExpiresAt.toInstant() : null)
+				.clientName(rs.getString("client_name"))
+				.clientAuthenticationMethods(coll -> coll.addAll(clientAuthMethods))
+				.authorizationGrantTypes(coll -> coll.addAll(authGrantTypes))
+				.redirectUris(coll -> coll.addAll(redirectUris))
+				.scopes(coll -> coll.addAll(scopes));
+
+		RegisteredClient rc = builder.build();
+
+		TokenSettings ts = rc.getTokenSettings();
+		ts.accessTokenTimeToLive(Duration.ofMillis(rs.getLong("access_token_ttl")));
+		ts.refreshTokenTimeToLive(Duration.ofMillis(rs.getLong("refresh_token_ttl")));
+		ts.reuseRefreshTokens(rs.getBoolean("reuse_refresh_tokens"));
+
+		ClientSettings cs = rc.getClientSettings();
+		cs.requireProofKey(rs.getBoolean("require_proof_key"));
+		cs.requireUserConsent(rs.getBoolean("require_user_consent"));
+
+		return rc;
+	}
+
+	private List<SqlParameterValue> defaultRegisteredClientParameterMapper(RegisteredClient registeredClient) {
+		List<String> clientAuthenticationMethodNames = registeredClient.getClientAuthenticationMethods().stream()
+				.map(ClientAuthenticationMethod::getValue).collect(Collectors.toList());
+		List<String> authorizationGrantTypeNames = registeredClient.getAuthorizationGrantTypes().stream()
+				.map(AuthorizationGrantType::getValue).collect(Collectors.toList());
+		Timestamp clientIdIssuedAt = registeredClient.getClientIdIssuedAt() != null ?
+				Timestamp.from(registeredClient.getClientIdIssuedAt()) : null;
+		Timestamp clientSecretExpiresAt = registeredClient.getClientSecretExpiresAt() != null ?
+				Timestamp.from(registeredClient.getClientSecretExpiresAt()) : null;
+		return Arrays.asList(
+				new SqlParameterValue(Types.VARCHAR, registeredClient.getId()),
+				new SqlParameterValue(Types.VARCHAR, registeredClient.getClientId()),
+				new SqlParameterValue(Types.TIMESTAMP, clientIdIssuedAt),
+				new SqlParameterValue(Types.VARCHAR, registeredClient.getClientSecret()),
+				new SqlParameterValue(Types.TIMESTAMP, clientSecretExpiresAt),
+				new SqlParameterValue(Types.VARCHAR, registeredClient.getClientName()),
+				new SqlParameterValue(Types.VARCHAR, listFormatter.apply(clientAuthenticationMethodNames)),
+				new SqlParameterValue(Types.VARCHAR, listFormatter.apply(authorizationGrantTypeNames)),
+				new SqlParameterValue(Types.VARCHAR, listFormatter.apply(registeredClient.getRedirectUris())),
+				new SqlParameterValue(Types.VARCHAR, listFormatter.apply(registeredClient.getScopes())),
+				new SqlParameterValue(Types.BOOLEAN, registeredClient.getClientSettings().requireProofKey()),
+				new SqlParameterValue(Types.BOOLEAN, registeredClient.getClientSettings().requireUserConsent()),
+				new SqlParameterValue(Types.NUMERIC, registeredClient.getTokenSettings().accessTokenTimeToLive().toMillis()),
+				new SqlParameterValue(Types.BOOLEAN, registeredClient.getTokenSettings().reuseRefreshTokens()),
+				new SqlParameterValue(Types.NUMERIC, registeredClient.getTokenSettings().refreshTokenTimeToLive().toMillis()));
+	}
+
+	private Collection<String> defaultListParse(String s) {
+		return s != null ? Arrays.asList(s.split("\\|")) : Collections.emptyList();
+	}
+
+	private String defaultListFormat(Collection<String> items) {
+		return String.join("|", items);
+	}
+
+	static {
+		Map<String, AuthorizationGrantType> am = new HashMap<>();
+		for (AuthorizationGrantType a : Arrays.asList(
+				AuthorizationGrantType.AUTHORIZATION_CODE,
+				AuthorizationGrantType.REFRESH_TOKEN,
+				AuthorizationGrantType.CLIENT_CREDENTIALS,
+				AuthorizationGrantType.PASSWORD,
+				AuthorizationGrantType.IMPLICIT)) {
+			am.put(a.getValue(), a);
+		}
+		AUTHORIZATION_GRANT_TYPE_MAP = Collections.unmodifiableMap(am);
+
+		Map<String, ClientAuthenticationMethod> cm = new HashMap<>();
+		for (ClientAuthenticationMethod c : Arrays.asList(
+				ClientAuthenticationMethod.NONE,
+				ClientAuthenticationMethod.BASIC,
+				ClientAuthenticationMethod.POST)) {
+			cm.put(c.getValue(), c);
+		}
+		CLIENT_AUTHENTICATION_METHOD_MAP = Collections.unmodifiableMap(cm);
+	}
+}

oauth2-authorization-server/src/main/resources/org/springframework/security/oauth2/server/authorization/client/oauth2_registered_client_h2.ddl

@@ -0,0 +1,16 @@
+create table oauth2_registered_client (
+    id varchar(128) primary key not null,
+    client_id varchar(128) not null,
+    client_id_issued_at datetime,
+    client_secret varchar(4096) not null,
+    client_secret_expires_at datetime,
+    client_name varchar(512),
+    client_authentication_methods varchar(512) not null,
+    authorization_grant_types varchar(512) not null,
+    redirect_uris varchar(4096) not null,
+    scopes varchar(1024) not null,
+    require_proof_key boolean not null,
+    require_user_consent boolean not null,
+    access_token_ttl integer default 300000 not null,
+    reuse_refresh_tokens boolean default true not null,
+    refresh_token_ttl integer default 600000 not null);