@Transactional public void removeExpired(final String tokenKey) { accessTokenDAO.delete(tokenKey); }
@PreAuthorize("hasRole('" + StandardEntitlement.ACCESS_TOKEN_LIST + "')") public Pair<Integer, List<AccessTokenTO>> list( final int page, final int size, final List<OrderByClause> orderByClauses) { Integer count = accessTokenDAO.count(); List<AccessTokenTO> result = accessTokenDAO.findAll(page, size, orderByClauses).stream(). map(binder::getAccessTokenTO).collect(Collectors.toList()); return Pair.of(count, result); }
@Override protected String doExecute(final boolean dryRun) throws JobExecutionException { if (!dryRun) { int deleted = accessTokenDAO.deleteExpired(); LOG.debug("Successfully deleted {} expired access tokens", deleted); } return "SUCCESS"; }
@Override public void delete(final User user) { roleDAO.removeDynMemberships(user.getKey()); groupDAO.removeDynMemberships(user); dynRealmDAO.removeDynMemberships(user.getKey()); AccessToken accessToken = accessTokenDAO.findByOwner(user.getUsername()); if (accessToken != null) { accessTokenDAO.delete(accessToken); } entityManager().remove(user); publisher.publishEvent(new AnyDeletedEvent( this, AnyTypeKind.USER, user.getKey(), user.getUsername(), AuthContextUtils.getDomain())); }
@Override public AnyTypeTO delete(final AnyType anyType) { AnyTypeTO deleted = getAnyTypeTO(anyType); anyTypeDAO.delete(anyType.getKey()); final Set<String> removed = EntitlementsHolder.getInstance().removeFor(deleted.getKey()); if (!adminUser.equals(AuthContextUtils.getUsername())) { AccessToken accessToken = accessTokenDAO.findByOwner(AuthContextUtils.getUsername()); try { Set<SyncopeGrantedAuthority> authorities = new HashSet<>(POJOHelper.deserialize( ENCRYPTOR.decode(new String(accessToken.getAuthorities()), CipherAlgorithm.AES), new TypeReference<Set<SyncopeGrantedAuthority>>() { })); authorities.removeAll(authorities.stream(). filter(authority -> removed.contains(authority.getAuthority())).collect(Collectors.toList())); accessToken.setAuthorities(ENCRYPTOR.encode( POJOHelper.serialize(authorities), CipherAlgorithm.AES). getBytes()); accessTokenDAO.save(accessToken); } catch (Exception e) { LOG.error("Could not fetch or store authorities", e); } } return deleted; }
@PreAuthorize("isAuthenticated()") public Pair<String, Date> refresh() { AccessToken accessToken = accessTokenDAO.findByOwner(AuthContextUtils.getUsername()); if (accessToken == null) { throw new NotFoundException("AccessToken for " + AuthContextUtils.getUsername()); } return binder.update(accessToken, getAuthorities()); }
@Transactional(readOnly = true) @Override public Pair<User, Set<SyncopeGrantedAuthority>> resolve(final JwtClaims jwtClaims) { User user = userDAO.findByUsername(jwtClaims.getSubject()); Set<SyncopeGrantedAuthority> authorities = Collections.emptySet(); if (user != null) { AccessToken accessToken = accessTokenDAO.find(jwtClaims.getTokenId()); if (accessToken != null && accessToken.getAuthorities() != null) { try { authorities = POJOHelper.deserialize( ENCRYPTOR.decode(new String(accessToken.getAuthorities()), CipherAlgorithm.AES), new TypeReference<Set<SyncopeGrantedAuthority>>() { }); } catch (Throwable t) { LOG.error("Could not read stored authorities", t); } } } return Pair.of(user, authorities); } }
private AccessToken replace( final String subject, final Map<String, Object> claims, final byte[] authorities, final AccessToken accessToken) { Pair<String, Date> generated = generateJWT( accessToken.getKey(), subject, confDAO.find("jwt.lifetime.minutes", 120L), claims); accessToken.setBody(generated.getLeft()); accessToken.setExpiryTime(generated.getRight()); accessToken.setOwner(subject); if (!adminUser.equals(accessToken.getOwner())) { accessToken.setAuthorities(authorities); } return accessTokenDAO.save(accessToken); }
@PreAuthorize("isAuthenticated() " + "and not(hasRole('" + StandardEntitlement.ANONYMOUS + "')) " + "and not(hasRole('" + StandardEntitlement.MUST_CHANGE_PASSWORD + "'))") public ProvisioningResult<UserTO> selfUpdate(final UserPatch userPatch, final boolean nullPriorityAsync) { UserTO userTO = binder.getAuthenticatedUserTO(); userPatch.setKey(userTO.getKey()); ProvisioningResult<UserTO> updated = doUpdate(userPatch, true, nullPriorityAsync); // Ensures that, if the self update above moves the user into a status from which no authentication // is possible, the existing Access Token is clean up to avoid issues with future authentications if (!confDAO.getValuesAsStrings("authentication.statuses").contains(updated.getEntity().getStatus())) { String accessToken = accessTokenDAO.findByOwner(updated.getEntity().getUsername()).getKey(); if (accessToken != null) { accessTokenDAO.delete(accessToken); } } return updated; }
@Override public AnyType create(final AnyTypeTO anyTypeTO) { AnyType anyType = entityFactory.newEntity(AnyType.class); update(anyType, anyTypeTO); Set<String> added = EntitlementsHolder.getInstance().addFor(anyType.getKey()); if (!adminUser.equals(AuthContextUtils.getUsername())) { AccessToken accessToken = accessTokenDAO.findByOwner(AuthContextUtils.getUsername()); try { Set<SyncopeGrantedAuthority> authorities = new HashSet<>(POJOHelper.deserialize( ENCRYPTOR.decode(new String(accessToken.getAuthorities()), CipherAlgorithm.AES), new TypeReference<Set<SyncopeGrantedAuthority>>() { })); added.forEach(entitlement -> { authorities.add(new SyncopeGrantedAuthority(entitlement, SyncopeConstants.ROOT_REALM)); }); accessToken.setAuthorities(ENCRYPTOR.encode( POJOHelper.serialize(authorities), CipherAlgorithm.AES). getBytes()); accessTokenDAO.save(accessToken); } catch (Exception e) { LOG.error("Could not fetch or store authorities", e); } } return anyType; }
@PreAuthorize("isAuthenticated()") public void logout() { AccessToken accessToken = accessTokenDAO.findByOwner(AuthContextUtils.getUsername()); if (accessToken == null) { throw new NotFoundException("AccessToken for " + AuthContextUtils.getUsername()); } delete(accessToken.getKey()); }
@Transactional(readOnly = true) @Override public Pair<User, Set<SyncopeGrantedAuthority>> resolve(final JwtClaims jwtClaims) { User user = userDAO.findByUsername(jwtClaims.getSubject()); Set<SyncopeGrantedAuthority> authorities = Collections.emptySet(); if (user != null) { AccessToken accessToken = accessTokenDAO.find(jwtClaims.getTokenId()); if (accessToken != null && accessToken.getAuthorities() != null) { try { authorities = POJOHelper.deserialize( ENCRYPTOR.decode(new String(accessToken.getAuthorities()), CipherAlgorithm.AES), new TypeReference<Set<SyncopeGrantedAuthority>>() { }); } catch (Throwable t) { LOG.error("Could not read stored authorities", t); } } } return Pair.of(user, authorities); } }
@Override public Pair<String, Date> update(final AccessToken accessToken, final byte[] authorities) { JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(accessToken.getBody()); credentialChecker.checkIsDefaultJWSKeyInUse(); long duration = confDAO.find("jwt.lifetime.minutes", 120L); long currentTime = new Date().getTime() / 1000L; long expiry = currentTime + 60L * duration; consumer.getJwtClaims().setExpiryTime(expiry); Date expiryDate = new Date(expiry * 1000L); JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, jwsSignatureProvider.getAlgorithm()); JwtToken token = new JwtToken(jwsHeaders, consumer.getJwtClaims()); JwsJwtCompactProducer producer = new JwsJwtCompactProducer(token); String body = producer.signWith(jwsSignatureProvider); accessToken.setBody(body); // AccessToken stores expiry time in milliseconds, as opposed to seconds for the JWT tokens. accessToken.setExpiryTime(expiryDate); if (!adminUser.equals(accessToken.getOwner())) { accessToken.setAuthorities(authorities); } accessTokenDAO.save(accessToken); return Pair.of(body, expiryDate); }
@Transactional public void removeExpired(final String tokenKey) { accessTokenDAO.delete(tokenKey); }
AccessToken accessToken = accessTokenDAO.findByOwner(oldUsername); if (accessToken != null) { accessToken.setOwner(userPatch.getUsername().getValue()); accessTokenDAO.save(accessToken);
@Override public Pair<String, Date> create( final String subject, final Map<String, Object> claims, final byte[] authorities, final boolean replace) { AccessToken accessToken = accessTokenDAO.findByOwner(subject); if (accessToken == null) { // no AccessToken found: create new accessToken = entityFactory.newEntity(AccessToken.class); accessToken.setKey(SecureRandomUtils.generateRandomUUID().toString()); accessToken = replace(subject, claims, authorities, accessToken); } else if (replace || accessToken.getExpiryTime() == null || accessToken.getExpiryTime().before(new Date())) { // AccessToken found, but either replace was requested or it is expired: update existing accessToken = replace(subject, claims, authorities, accessToken); } return Pair.of(accessToken.getBody(), accessToken.getExpiryTime()); }
AccessToken accessToken = accessTokenDAO.find(authentication.getClaims().getTokenId()); if (accessToken == null) { throw new AuthenticationCredentialsNotFoundException(
@PreAuthorize("hasRole('" + StandardEntitlement.ACCESS_TOKEN_DELETE + "')") public void delete(final String key) { accessTokenDAO.delete(key); }
AccessToken accessToken = accessTokenDAO.find(authentication.getClaims().getTokenId()); if (accessToken == null) { throw new AuthenticationCredentialsNotFoundException(
accessTokenDAO.delete(consumer.getJwtClaims().getTokenId()); } else { SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);