[SYNCOPE-1936] Generate OIDC JWKS as CAS does (#1252)

Author: ilgrosso

client/am/console/src/main/java/org/apache/syncope/client/console/panels/OIDC.java

@@ -24,6 +24,7 @@
 import java.util.concurrent.atomic.AtomicReference;
 import org.apache.syncope.client.console.SyncopeConsoleSession;
 import org.apache.syncope.client.console.rest.OIDCJWKSRestClient;
+import org.apache.syncope.client.console.rest.WAConfigRestClient;
 import org.apache.syncope.client.console.wicket.markup.html.bootstrap.dialog.BaseModal;
 import org.apache.syncope.client.console.wicket.markup.html.form.JsonEditorPanel;
 import org.apache.syncope.client.ui.commons.Constants;
@@ -54,6 +55,11 @@ public class OIDC extends Panel {
     @SpringBean
     protected OIDCJWKSRestClient oidcJWKSRestClient;
 
+    @SpringBean
+    protected WAConfigRestClient waConfigRestClient;
+
+    protected final BaseModal<OIDCJWKSTO> generateModal = new BaseModal<>("generateModal");
+
     protected final BaseModal<String> viewModal = new BaseModal<>("viewModal") {
 
         private static final long serialVersionUID = 389935548143327858L;
@@ -75,15 +81,15 @@ public OIDC(final String id, final String waPrefix, final PageReference pageRef)
         super(id);
         setOutputMarkupId(true);
 
-        add(viewModal);
-        viewModal.size(Modal.Size.Extra_large);
-        viewModal.setWindowClosedCallback(target -> viewModal.show(false));
-
         WebMarkupContainer container = new WebMarkupContainer("container");
         add(container.setOutputMarkupId(true));
 
         AtomicReference<OIDCJWKSTO> oidcjwksto = oidcJWKSRestClient.get();
 
+        add(viewModal);
+        viewModal.size(Modal.Size.Extra_large);
+        viewModal.setWindowClosedCallback(target -> viewModal.show(false));
+
         view = new AjaxLink<>("view") {
 
             private static final long serialVersionUID = 6250423506463465679L;
@@ -123,18 +129,10 @@ protected void onComponentTag(final ComponentTag tag) {
 
             @Override
             public void onClick(final AjaxRequestTarget target) {
-                try {
-                    oidcjwksto.set(oidcJWKSRestClient.generate());
-                    generate.setEnabled(false);
-                    view.setEnabled(true);
-
-                    SyncopeConsoleSession.get().success(getString(Constants.OPERATION_SUCCEEDED));
-                    target.add(container);
-                } catch (Exception e) {
-                    LOG.error("While generating OIDC JWKS", e);
-                    SyncopeConsoleSession.get().onException(e);
-                }
-                ((BaseWebPage) pageRef.getPage()).getNotificationPanel().refresh(target);
+                generateModal.header(Model.of("Generate JSON Web Key Sets"));
+                target.add(generateModal.setContent(new OIDCJWKSGenerationPanel(
+                        oidcJWKSRestClient, waConfigRestClient, generateModal, pageRef)));
+                generateModal.show(true);
             }
 
             @Override
@@ -184,6 +182,17 @@ protected void onComponentTag(final ComponentTag tag) {
         container.add(delete.setOutputMarkupId(true));
         MetaDataRoleAuthorizationStrategy.authorize(delete, ENABLE, AMEntitlement.OIDC_JWKS_DELETE);
 
+        generateModal.addSubmitButton();
+        add(generateModal);
+        generateModal.setWindowClosedCallback(target -> {
+            oidcjwksto.set(oidcJWKSRestClient.get().get());
+            view.setEnabled(oidcjwksto.get() != null);
+            delete.setEnabled(oidcjwksto.get() != null);
+
+            target.add(container);
+            generateModal.show(false);
+        });
+
         String wellKnownURI = waPrefix + "/oidc/.well-known/openid-configuration";
         container.add(new ExternalLink("wellKnownURI", wellKnownURI, wellKnownURI));
     }

client/am/console/src/main/java/org/apache/syncope/client/console/panels/OIDCJWKSGenerationPanel.java

@@ -0,0 +1,117 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.client.console.panels;
+
+import java.util.List;
+import org.apache.syncope.client.console.SyncopeConsoleSession;
+import org.apache.syncope.client.console.rest.OIDCJWKSRestClient;
+import org.apache.syncope.client.console.rest.WAConfigRestClient;
+import org.apache.syncope.client.console.wicket.ajax.form.IndicatorAjaxEventBehavior;
+import org.apache.syncope.client.console.wicket.markup.html.bootstrap.dialog.BaseModal;
+import org.apache.syncope.client.ui.commons.Constants;
+import org.apache.syncope.client.ui.commons.markup.html.form.AjaxDropDownChoicePanel;
+import org.apache.syncope.client.ui.commons.markup.html.form.AjaxNumberFieldPanel;
+import org.apache.syncope.client.ui.commons.markup.html.form.AjaxTextFieldPanel;
+import org.apache.syncope.client.ui.commons.pages.BaseWebPage;
+import org.apache.syncope.common.lib.SyncopeClientException;
+import org.apache.syncope.common.lib.to.OIDCJWKSTO;
+import org.apache.wicket.PageReference;
+import org.apache.wicket.ajax.AjaxRequestTarget;
+import org.apache.wicket.model.Model;
+
+public class OIDCJWKSGenerationPanel extends AbstractModalPanel<OIDCJWKSTO> {
+
+    private static final long serialVersionUID = -3372006007594607067L;
+
+    protected final OIDCJWKSRestClient oidcJWKSRestClient;
+
+    protected final Model<String> jwksKeyIdM;
+
+    protected final Model<String> jwksTypeM;
+
+    protected final Model<Integer> jwksKeySizeM;
+
+    public OIDCJWKSGenerationPanel(
+            final OIDCJWKSRestClient oidcJWKSRestClient,
+            final WAConfigRestClient waConfigRestClient,
+            final BaseModal<OIDCJWKSTO> modal,
+            final PageReference pageRef) {
+
+        super(modal, pageRef);
+        this.oidcJWKSRestClient = oidcJWKSRestClient;
+
+        jwksKeyIdM = Model.of("syncope");
+        try {
+            jwksKeyIdM.setObject(waConfigRestClient.get("cas.authn.oidc.jwks.core.jwks-key-id").getValues().get(0));
+        } catch (SyncopeClientException e) {
+            LOG.error("While reading cas.authn.oidc.jwks.core.jwks-key-id", e);
+        }
+        add(new AjaxTextFieldPanel("jwksKeyId", "jwksKeyId", jwksKeyIdM).setRequired(true));
+
+        jwksTypeM = Model.of("rsa");
+        try {
+            jwksTypeM.setObject(waConfigRestClient.get("cas.authn.oidc.jwks.core.jwks-type").getValues().get(0));
+        } catch (SyncopeClientException e) {
+            LOG.error("While reading cas.authn.oidc.jwks.core.jwks-type", e);
+        }
+        AjaxDropDownChoicePanel<String> jwksType = new AjaxDropDownChoicePanel<>("jwksType", "jwksType", jwksTypeM).
+                setChoices(List.of("rsa", "ec"));
+        add(jwksType.setRequired(true));
+
+        jwksKeySizeM = Model.of(2048);
+        try {
+            jwksKeySizeM.setObject(Integer.valueOf(
+                    waConfigRestClient.get("cas.authn.oidc.jwks.core.jwks-key-size").getValues().get(0)));
+        } catch (SyncopeClientException e) {
+            LOG.error("While reading cas.authn.oidc.jwks.core.jwks-key-size", e);
+        }
+        AjaxNumberFieldPanel<Integer> jwksKeySize = new AjaxNumberFieldPanel.Builder<Integer>().step(128).
+                build("jwksKeySize", "jwksKeySize", Integer.class, jwksKeySizeM);
+        add(jwksKeySize.setRequired(true));
+
+        jwksType.add(new IndicatorAjaxEventBehavior(Constants.ON_CHANGE) {
+
+            private static final long serialVersionUID = -4255753643957306394L;
+
+            @Override
+            protected void onEvent(final AjaxRequestTarget target) {
+                if ("ec".equals(jwksTypeM.getObject())) {
+                    jwksKeySizeM.setObject(256);
+                } else {
+                    jwksKeySizeM.setObject(2048);
+                }
+                target.add(jwksKeySize);
+            }
+        });
+    }
+
+    @Override
+    public void onSubmit(final AjaxRequestTarget target) {
+        try {
+            oidcJWKSRestClient.generate(jwksKeyIdM.getObject(), jwksTypeM.getObject(), jwksKeySizeM.getObject());
+
+            SyncopeConsoleSession.get().success(getString(Constants.OPERATION_SUCCEEDED));
+            modal.close(target);
+        } catch (Exception e) {
+            LOG.error("While generating OIDC JWKS", e);
+            SyncopeConsoleSession.get().onException(e);
+        }
+        ((BaseWebPage) pageRef.getPage()).getNotificationPanel().refresh(target);
+    }
+}

client/am/console/src/main/java/org/apache/syncope/client/console/rest/OIDCJWKSRestClient.java

@@ -37,8 +37,8 @@ public AtomicReference<OIDCJWKSTO> get() {
         return result;
     }
 
-    public OIDCJWKSTO generate() {
-        Response response = getService(OIDCJWKSService.class).generate("syncope", "RSA", 2048);
+    public OIDCJWKSTO generate(final String jwksKeyId, final String jwksType, final int jwksKeySize) {
+        Response response = getService(OIDCJWKSService.class).generate(jwksKeyId, jwksType, jwksKeySize);
         return response.readEntity(OIDCJWKSTO.class);
     }
 

client/am/console/src/main/resources/org/apache/syncope/client/console/panels/OIDC.html

@@ -49,6 +49,7 @@ <h3 class="card-title">Well-Known URI</h3>
       </div>
     </div>
 
+    <div wicket:id="generateModal"/>
     <div wicket:id="viewModal"/>
   </wicket:panel>
 </html>

client/am/console/src/main/resources/org/apache/syncope/client/console/panels/OIDCJWKSGenerationPanel.html

@@ -0,0 +1,27 @@
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" >
+  <wicket:extend>
+    <div class="form-group">
+      <span wicket:id="jwksKeyId"/>
+      <span wicket:id="jwksType"/>
+      <span wicket:id="jwksKeySize"/>
+    </div>
+  </wicket:extend>
+</html>

core/am/logic/src/main/java/org/apache/syncope/core/logic/AMLogicContext.java

@@ -114,10 +114,12 @@ public ClientAppLogic clientAppLogic(
     @ConditionalOnMissingBean
     @Bean
     public OIDCJWKSLogic oidcJWKSLogic(
-            final OIDCJWKSDataBinder binder,
-            final OIDCJWKSDAO dao) {
+            final OIDCJWKSDataBinder oidcJWKSDataBinder,
+            final OIDCJWKSDAO oidcJWKSDAO,
+            final WAConfigDAO waConfigDAO,
+            final EntityFactory entityFactory) {
 
-        return new OIDCJWKSLogic(binder, dao);
+        return new OIDCJWKSLogic(oidcJWKSDataBinder, oidcJWKSDAO, waConfigDAO, entityFactory);
     }
 
     @ConditionalOnMissingBean

core/am/logic/src/main/java/org/apache/syncope/core/logic/OIDCJWKSLogic.java

@@ -20,13 +20,17 @@
 
 import java.lang.reflect.Method;
 import java.util.Optional;
+import java.util.List;
 import org.apache.syncope.common.lib.to.OIDCJWKSTO;
 import org.apache.syncope.common.lib.types.AMEntitlement;
 import org.apache.syncope.common.lib.types.IdRepoEntitlement;
 import org.apache.syncope.core.persistence.api.dao.DuplicateException;
 import org.apache.syncope.core.persistence.api.dao.NotFoundException;
 import org.apache.syncope.core.persistence.api.dao.OIDCJWKSDAO;
+import org.apache.syncope.core.persistence.api.dao.WAConfigDAO;
+import org.apache.syncope.core.persistence.api.entity.EntityFactory;
 import org.apache.syncope.core.persistence.api.entity.am.OIDCJWKS;
+import org.apache.syncope.core.persistence.api.entity.am.WAConfigEntry;
 import org.apache.syncope.core.provisioning.api.data.OIDCJWKSDataBinder;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.transaction.annotation.Transactional;
@@ -35,52 +39,81 @@ public class OIDCJWKSLogic extends AbstractTransactionalLogic<OIDCJWKSTO> {
 
     protected final OIDCJWKSDataBinder binder;
 
-    protected final OIDCJWKSDAO dao;
+    protected final OIDCJWKSDAO oidcJWKSDAO;
+
+    protected final WAConfigDAO waConfigDAO;
+
+    protected final EntityFactory entityFactory;
+
+    public OIDCJWKSLogic(
+            final OIDCJWKSDataBinder binder,
+            final OIDCJWKSDAO oidcJWKSDAO,
+            final WAConfigDAO waConfigDAO,
+            final EntityFactory entityFactory) {
 
-    public OIDCJWKSLogic(final OIDCJWKSDataBinder binder, final OIDCJWKSDAO dao) {
         this.binder = binder;
-        this.dao = dao;
+        this.oidcJWKSDAO = oidcJWKSDAO;
+        this.waConfigDAO = waConfigDAO;
+        this.entityFactory = entityFactory;
     }
 
     @PreAuthorize("hasRole('" + AMEntitlement.OIDC_JWKS_READ + "') "
             + "or hasRole('" + IdRepoEntitlement.ANONYMOUS + "')")
     @Transactional(readOnly = true)
     public OIDCJWKSTO get() {
-        return Optional.ofNullable(dao.get()).
+        return Optional.ofNullable(oidcJWKSDAO.get()).
                 map(binder::getOIDCJWKSTO).
                 orElseThrow(() -> new NotFoundException("OIDC JWKS not found"));
     }
 
+    @PreAuthorize("hasRole('" + AMEntitlement.OIDC_JWKS_SET + "') "
+            + "or hasRole('" + IdRepoEntitlement.ANONYMOUS + "')")
+    public OIDCJWKSTO set(final OIDCJWKSTO entityTO) {
+        OIDCJWKS jwks = oidcJWKSDAO.get();
+        jwks.setJson(entityTO.getJson());
+        return binder.getOIDCJWKSTO(oidcJWKSDAO.save(jwks));
+    }
+
     @PreAuthorize("hasRole('" + AMEntitlement.OIDC_JWKS_GENERATE + "') "
             + "or hasRole('" + IdRepoEntitlement.ANONYMOUS + "')")
     public OIDCJWKSTO generate(final String jwksKeyId, final String jwksType, final int jwksKeySize) {
-        OIDCJWKS jwks = dao.get();
-        if (jwks == null) {
-            return binder.getOIDCJWKSTO(dao.save(binder.create(jwksKeyId, jwksType, jwksKeySize)));
+        if (oidcJWKSDAO.get() == null) {
+            OIDCJWKSTO oidcJWKSTO = binder.getOIDCJWKSTO(
+                    oidcJWKSDAO.save(binder.create(jwksKeyId, jwksType, jwksKeySize)));
+
+            WAConfigEntry jwksKeyIdConfig = entityFactory.newEntity(WAConfigEntry.class);
+            jwksKeyIdConfig.setKey("cas.authn.oidc.jwks.core.jwks-key-id");
+            jwksKeyIdConfig.setValues(List.of(jwksKeyId));
+            waConfigDAO.save(jwksKeyIdConfig);
+
+            WAConfigEntry jwksTypeConfig = entityFactory.newEntity(WAConfigEntry.class);
+            jwksTypeConfig.setKey("cas.authn.oidc.jwks.core.jwks-type");
+            jwksTypeConfig.setValues(List.of(jwksType));
+            waConfigDAO.save(jwksTypeConfig);
+
+            WAConfigEntry jwksKeySizeConfig = entityFactory.newEntity(WAConfigEntry.class);
+            jwksKeySizeConfig.setKey("cas.authn.oidc.jwks.core.jwks-key-size");
+            jwksKeySizeConfig.setValues(List.of(String.valueOf(jwksKeySize)));
+            waConfigDAO.save(jwksKeySizeConfig);
+
+            return oidcJWKSTO;
         }
+
         throw new DuplicateException("OIDC JWKS already set");
     }
 
     @PreAuthorize("hasRole('" + AMEntitlement.OIDC_JWKS_DELETE + "')")
     public void delete() {
-        dao.delete();
+        oidcJWKSDAO.delete();
     }
 
     @Override
     protected OIDCJWKSTO resolveReference(final Method method, final Object... args)
             throws UnresolvedReferenceException {
-        OIDCJWKS jwks = dao.get();
+        OIDCJWKS jwks = oidcJWKSDAO.get();
         if (jwks == null) {
             throw new UnresolvedReferenceException();
         }
         return binder.getOIDCJWKSTO(jwks);
     }
-
-    @PreAuthorize("hasRole('" + AMEntitlement.OIDC_JWKS_SET + "') "
-            + "or hasRole('" + IdRepoEntitlement.ANONYMOUS + "')")
-    public OIDCJWKSTO set(final OIDCJWKSTO entityTO) {
-        OIDCJWKS jwks = dao.get();
-        jwks.setJson(entityTO.getJson());
-        return binder.getOIDCJWKSTO(dao.save(jwks));
-    }
 }

core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/JPAOIDCJWKSDAO.java

@@ -31,8 +31,8 @@ public class JPAOIDCJWKSDAO extends AbstractDAO<OIDCJWKS> implements OIDCJWKSDAO
     @Override
     public OIDCJWKS get() {
         try {
-            TypedQuery<OIDCJWKS> query = entityManager().
-                    createQuery("SELECT e FROM " + JPAOIDCJWKS.class.getSimpleName() + " e", OIDCJWKS.class);
+            TypedQuery<OIDCJWKS> query = entityManager().createQuery(
+                    "SELECT e FROM " + JPAOIDCJWKS.class.getSimpleName() + " e", OIDCJWKS.class);
             return query.getSingleResult();
         } catch (final NoResultException e) {
             LOG.debug(e.getMessage());
@@ -47,8 +47,6 @@ public OIDCJWKS save(final OIDCJWKS jwks) {
 
     @Override
     public void delete() {
-        entityManager().
-                createQuery("DELETE FROM " + JPAOIDCJWKS.class.getSimpleName()).
-                executeUpdate();
+        entityManager().createQuery("DELETE FROM " + JPAOIDCJWKS.class.getSimpleName()).executeUpdate();
     }
 }