Merge branch '1.2.x'

Author: josebarrueta

api/src/main/java/com/stormpath/sdk/lang/Strings.java

@@ -16,6 +16,7 @@
 package com.stormpath.sdk.lang;
 
 import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -1264,4 +1265,34 @@ public static String arrayToCommaDelimitedString(Object[] arr) {
         return arrayToDelimitedString(arr, ",");
     }
 
+    /**
+     * Calls {@link String#getBytes(Charset)}
+     *
+     * @param string  The string to encode (if null, return null).
+     * @param charset The {@link Charset} to encode the <code>String</code>
+     * @return the encoded bytes
+     * @since 1.2.1
+     */
+    private static byte[] getBytes(final String string, final Charset charset) {
+        if (string == null) {
+            return null;
+        }
+        return string.getBytes(charset);
+    }
+
+    /**
+     * Encodes the given string into a sequence of bytes using the UTF-8 charset, storing the result into a new byte
+     * array.
+     *
+     * @param string the String to encode, may be <code>null</code>
+     * @return encoded bytes, or <code>null</code> if the input string was <code>null</code>
+     * @throws NullPointerException Thrown if {@link StandardCharsets#UTF_8} is not initialized, which should never happen since it is
+     *                              required by the Java platform specification.
+     * @see <a href="http://download.oracle.com/javase/6/docs/api/java/nio/charset/Charset.html">Standard charsets</a>
+     * @since 1.2.1
+     */
+    public static byte[] getBytesUtf8(final String string) {
+        return getBytes(string, StandardCharsets.UTF_8);
+    }
+
 }

ci/before_install.sh

@@ -14,7 +14,7 @@ export IS_RELEASE="$([ ${RELEASE_VERSION/SNAPSHOT} == $RELEASE_VERSION ] && [ $T
 export BUILD_DOCS="$([ $TRAVIS_JDK_VERSION == 'oraclejdk8' ] && echo 'true')"
 export RUN_ITS="$([ $TRAVIS_JDK_VERSION == 'openjdk7' ] && echo 'true')"
 #Install Maven 3.3.9 since Travis uses 3.2 by default
-wget https://archive.apache.org/dist/maven/maven-3/3.3.9/binaries/apache-maven-3.3.9-bin.zip
+wget http://mirror.cc.columbia.edu/pub/software/apache/maven/maven-3/3.3.9/binaries/apache-maven-3.3.9-bin.zip
 unzip -qq apache-maven-3.3.9-bin.zip
 export M2_HOME=$PWD/apache-maven-3.3.9
 export PATH=$M2_HOME/bin:$PATH

extensions/httpclient/src/test/groovy/com/stormpath/sdk/impl/application/webconfig/WebConfigurationIT.groovy

@@ -27,9 +27,18 @@ import com.stormpath.sdk.application.webconfig.MeConfig
 import com.stormpath.sdk.application.webconfig.MeExpansionConfig
 import com.stormpath.sdk.application.webconfig.Oauth2Config
 import com.stormpath.sdk.application.webconfig.VerifyEmailConfig
+import com.stormpath.sdk.cache.Caches
 import com.stormpath.sdk.client.Client
 import com.stormpath.sdk.client.ClientIT
+import com.stormpath.sdk.client.Clients
 import com.stormpath.sdk.directory.Directory
+import com.stormpath.sdk.oauth.AccessToken
+import com.stormpath.sdk.oauth.Authenticators
+import com.stormpath.sdk.oauth.OAuthBearerRequestAuthentication
+import com.stormpath.sdk.oauth.OAuthPasswordGrantRequestAuthentication
+import com.stormpath.sdk.oauth.OAuthRequestAuthenticator
+import com.stormpath.sdk.oauth.OAuthRequests
+import com.stormpath.sdk.oauth.RefreshToken
 import org.testng.annotations.Test
 
 import static org.testng.Assert.*
@@ -185,6 +194,42 @@ class WebConfigurationIT extends ClientIT {
         }
     }
 
+    @Test
+    void testGetAccessTokenSignedWithDifferentKey() {
+
+        def app = createTempApp()
+
+        def account = createTestAccount(app)
+
+        OAuthPasswordGrantRequestAuthentication grantRequest = OAuthRequests.OAUTH_PASSWORD_GRANT_REQUEST.builder()
+                .setLogin(account.email).setPassword("Changeme1!").build()
+
+        OAuthRequestAuthenticator authenticator = Authenticators.OAUTH_PASSWORD_GRANT_REQUEST_AUTHENTICATOR.forApplication(app)
+
+        def accessTokenResult = authenticator.authenticate(grantRequest)
+
+        def webConfigApiKey = app.getWebConfig().getSigningApiKey()
+
+        def client = Clients.builder().setBaseUrl(baseUrl).setCacheManager(Caches.newDisabledCacheManager()).setApiKey(webConfigApiKey).build()
+
+        def newClientApp = client.getResource(app.href, Application)
+
+        // Authenticate token against Stormpath
+        OAuthBearerRequestAuthentication authRequest = OAuthRequests.OAUTH_BEARER_REQUEST.builder().setJwt(accessTokenResult.getAccessTokenString()).build()
+        def authResultRemote = Authenticators.OAUTH_BEARER_REQUEST_AUTHENTICATOR.forApplication(newClientApp).authenticate(authRequest)
+
+        assertEquals authResultRemote.getApplication().getHref(), app.href
+        assertEquals authResultRemote.getAccount().getHref(), account.href
+
+        def accessToken = client.getResource(accessTokenResult.accessTokenHref, AccessToken)
+
+        assertNotNull accessToken
+
+        def refreshToken = client.getResource(accessTokenResult.refreshToken.href, RefreshToken)
+
+        assertNotNull refreshToken
+    }
+
     ApiKey createTmpApiKey(Application application) {
         def directory = client.instantiate(Directory)
         directory.setName(uniquify("Admins"))

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/mvc/AccessTokenController.java

@@ -22,10 +22,12 @@
 import com.stormpath.sdk.impl.authc.DefaultBasicApiAuthenticationRequest;
 import com.stormpath.sdk.impl.authc.DefaultHttpServletRequestWrapper;
 import com.stormpath.sdk.impl.error.DefaultError;
+import com.stormpath.sdk.impl.oauth.DefaultIdSiteAuthenticationRequest;
 import com.stormpath.sdk.impl.oauth.DefaultOAuthStormpathSocialGrantRequestAuthentication;
 import com.stormpath.sdk.lang.Assert;
 import com.stormpath.sdk.oauth.AccessTokenResult;
 import com.stormpath.sdk.oauth.Authenticators;
+import com.stormpath.sdk.oauth.IdSiteAuthenticationRequest;
 import com.stormpath.sdk.oauth.OAuthClientCredentialsGrantRequestAuthentication;
 import com.stormpath.sdk.oauth.OAuthGrantRequestAuthenticationResult;
 import com.stormpath.sdk.oauth.OAuthPasswordGrantRequestAuthentication;
@@ -67,6 +69,7 @@ public class AccessTokenController extends AbstractController {
     private static final String CLIENT_CREDENTIALS_GRANT_TYPE = "client_credentials";
     private static final String PASSWORD_GRANT_TYPE = "password";
     private static final String STORMPATH_SOCIAL_GRANT_TYPE = "stormpath_social";
+    private static final String STORMPATH_TOKEN_GRANT_TYPE = "stormpath_token";
     private static final String REFRESH_TOKEN_GRANT_TYPE = "refresh_token";
     private static final String GRANT_TYPE_PARAM_NAME = "grant_type";
 
@@ -244,11 +247,11 @@ private AccessTokenResult refreshTokenAuthenticationRequest(HttpServletRequest r
      * @since 1.0.0
      */
     private AccessTokenResult clientCredentialsAuthenticationRequest(HttpServletRequest request, HttpServletResponse response) {
-        DefaultBasicApiAuthenticationRequest authenticationRequest = new DefaultBasicApiAuthenticationRequest(new DefaultHttpServletRequestWrapper(request));
-
         OAuthGrantRequestAuthenticationResult authenticationResult;
 
         try {
+            DefaultBasicApiAuthenticationRequest authenticationRequest = new DefaultBasicApiAuthenticationRequest(new DefaultHttpServletRequestWrapper(request));
+
             Application app = getApplication(request);
             OAuthClientCredentialsGrantRequestAuthentication clientCredentialsGrantRequestAuthentication =
                     OAuthRequests.OAUTH_CLIENT_CREDENTIALS_GRANT_REQUEST.builder()
@@ -287,6 +290,8 @@ private AccessTokenResult stormpathSocialAuthenticationRequest(HttpServletReques
         } catch (ResourceException e) {
             log.debug("Unable to authenticate stormpath social grant request: {}", e.getMessage(), e);
             throw convertToOAuthException(e, OAuthErrorCode.INVALID_CLIENT);
+        } catch (IllegalArgumentException ex) {
+            throw new OAuthException(OAuthErrorCode.INVALID_REQUEST);
         }
 
         return createAccessTokenResult(request, response, authenticationResult);
@@ -305,6 +310,29 @@ private OAuthException convertToOAuthException(ResourceException e, OAuthErrorCo
         return new OAuthException(oauthError, message);
     }
 
+    private AccessTokenResult stormpathTokenAuthenticationRequest(HttpServletRequest request, HttpServletResponse response) {
+        OAuthGrantRequestAuthenticationResult authenticationResult;
+
+        try {
+            Application app = getApplication(request);
+            String token = request.getParameter("token");
+
+            IdSiteAuthenticationRequest authenticationRequest = new DefaultIdSiteAuthenticationRequest(token);
+
+            authenticationResult = Authenticators.ID_SITE_AUTHENTICATOR
+                    .forApplication(app)
+                    .authenticate(authenticationRequest);
+        } catch (ResourceException e) {
+            log.debug("Unable to authenticate stormpath token grant request: {}", e.getMessage(), e);
+            throw convertToOAuthException(e, OAuthErrorCode.INVALID_CLIENT);
+        } catch (IllegalArgumentException ex) {
+            throw new OAuthException(OAuthErrorCode.INVALID_REQUEST);
+        }
+
+        return createAccessTokenResult(request, response, authenticationResult);
+    }
+
+
     @Override
     protected ViewModel doPost(HttpServletRequest request, HttpServletResponse response) throws Exception {
 
@@ -350,6 +378,14 @@ protected ViewModel doPost(HttpServletRequest request, HttpServletResponse respo
                         throw new OAuthException(OAuthErrorCode.INVALID_CLIENT);
                     }
                     break;
+                case STORMPATH_TOKEN_GRANT_TYPE:
+                    try {
+                        result = this.stormpathTokenAuthenticationRequest(request, response);
+                    } catch (HttpAuthenticationException ex) {
+                        log.warn("Unable to authenticate client", ex);
+                        throw new OAuthException(OAuthErrorCode.INVALID_CLIENT);
+                    }
+                    break;
                 default:
                     throw new OAuthException(OAuthErrorCode.UNSUPPORTED_GRANT_TYPE, "'" + grantType + "' is an unsupported grant type.");
             }

extensions/spring/boot/stormpath-webmvc-spring-boot-starter/src/main/java/com/stormpath/spring/boot/autoconfigure/StormpathWebMvcAutoConfiguration.java

@@ -44,6 +44,8 @@
 import com.stormpath.sdk.servlet.filter.account.JwtSigningKeyResolver;
 import com.stormpath.sdk.servlet.filter.oauth.AccessTokenAuthenticationRequestFactory;
 import com.stormpath.sdk.servlet.filter.oauth.AccessTokenResultFactory;
+import com.stormpath.sdk.servlet.filter.oauth.RefreshTokenAuthenticationRequestFactory;
+import com.stormpath.sdk.servlet.filter.oauth.RefreshTokenResultFactory;
 import com.stormpath.sdk.servlet.http.MediaType;
 import com.stormpath.sdk.servlet.http.Resolver;
 import com.stormpath.sdk.servlet.http.Saver;
@@ -291,6 +293,12 @@ public AccessTokenResultFactory stormpathAccessTokenResultFactory() {
         return super.stormpathAccessTokenResultFactory();
     }
 
+    @Bean
+    @ConditionalOnMissingBean
+    public RefreshTokenResultFactory stormpathRefreshTokenResultFactory() {
+        return super.stormpathRefreshTokenResultFactory();
+    }
+
     @Bean
     @ConditionalOnMissingBean
     public WrappedServletRequestFactory stormpathWrappedServletRequestFactory() {
@@ -487,6 +495,12 @@ public AccessTokenAuthenticationRequestFactory stormpathAccessTokenAuthenticatio
         return super.stormpathAccessTokenAuthenticationRequestFactory();
     }
 
+    @Bean
+    @ConditionalOnMissingBean
+    public RefreshTokenAuthenticationRequestFactory stormpathRefreshTokenAuthenticationRequestFactory() {
+        return super.stormpathRefreshTokenAuthenticationRequestFactory();
+    }
+
     @Bean
     @ConditionalOnMissingBean(name = "stormpathAccessTokenRequestAuthorizer")
     public RequestAuthorizer stormpathAccessTokenRequestAuthorizer() {
@@ -526,7 +540,7 @@ public Controller stormpathMeController() {
 
     @Bean
     @ConditionalOnMissingBean
-    public ExpandsResolver stormpathMeExpandsResolver(){
+    public ExpandsResolver stormpathMeExpandsResolver() {
         return super.stormpathMeExpandsResolver();
     }
 
@@ -654,7 +668,7 @@ public ControllerConfig stormpathVerifyConfig() {
      */
     @Bean
     @ConditionalOnMissingBean(name = "stormpathAccessTokenConfig")
-    public AccessTokenControllerConfig stormpathAccessTokenConfig(){
+    public AccessTokenControllerConfig stormpathAccessTokenConfig() {
         return super.stormpathAccessTokenConfig();
     }
 

extensions/spring/stormpath-spring-webmvc/src/main/java/com/stormpath/spring/config/StormpathWebMvcConfiguration.java

@@ -43,6 +43,8 @@
 import com.stormpath.sdk.servlet.filter.account.JwtSigningKeyResolver;
 import com.stormpath.sdk.servlet.filter.oauth.AccessTokenAuthenticationRequestFactory;
 import com.stormpath.sdk.servlet.filter.oauth.AccessTokenResultFactory;
+import com.stormpath.sdk.servlet.filter.oauth.RefreshTokenAuthenticationRequestFactory;
+import com.stormpath.sdk.servlet.filter.oauth.RefreshTokenResultFactory;
 import com.stormpath.sdk.servlet.http.MediaType;
 import com.stormpath.sdk.servlet.http.Resolver;
 import com.stormpath.sdk.servlet.http.Saver;
@@ -246,6 +248,11 @@ public AccessTokenResultFactory stormpathAccessTokenResultFactory() {
         return super.stormpathAccessTokenResultFactory();
     }
 
+    @Bean
+    public RefreshTokenResultFactory stormpathRefreshTokenResultFactory(){
+        return super.stormpathRefreshTokenResultFactory();
+    }
+
     @Bean
     public WrappedServletRequestFactory stormpathWrappedServletRequestFactory() {
         return super.stormpathWrappedServletRequestFactory();
@@ -422,6 +429,11 @@ public AccessTokenAuthenticationRequestFactory stormpathAccessTokenAuthenticatio
         return super.stormpathAccessTokenAuthenticationRequestFactory();
     }
 
+    @Bean
+    public RefreshTokenAuthenticationRequestFactory stormpathRefreshTokenAuthenticationRequestFactory(){
+        return super.stormpathRefreshTokenAuthenticationRequestFactory();
+    }
+
     @Bean
     public RequestAuthorizer stormpathAccessTokenRequestAuthorizer() {
         return super.stormpathAccessTokenRequestAuthorizer();

impl/src/main/java/com/stormpath/sdk/impl/oauth/AbstractBaseOAuthToken.java

@@ -19,7 +19,9 @@
 import com.stormpath.sdk.tenant.Tenant;
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Jws;
+import io.jsonwebtoken.JwsHeader;
 import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.SigningKeyResolverAdapter;
 
 import java.util.Date;
 import java.util.Map;
@@ -102,8 +104,26 @@ public void revoke() {
         OAuthTokenRevocators.OAUTH_TOKEN_REVOCATOR.forApplication(getApplication()).revoke(revocationRequest);
     }
 
-    protected static Jws<Claims> parseJws(String token, ApiKey apiKey) {
-        return Jwts.parser().setSigningKey(apiKey.getSecret().getBytes(Strings.UTF_8)).parseClaimsJws(token);
+    /**
+     * @since 1.2.1
+     */
+    protected static Jws<Claims> parseJws(String token, final InternalDataStore dataStore) {
+
+        final ApiKey clientApiKey = dataStore.getApiKey();
+
+        return Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter() {
+            @Override
+            public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) {
+                String keyId = header.getKeyId();
+
+                if (Strings.hasText(keyId) && !clientApiKey.getId().equals(keyId)) {
+                    String url = dataStore.getBaseUrl() + "/apiKeys/" + keyId;
+                    ApiKey apiKey = dataStore.getResource(url, ApiKey.class);
+                    return Strings.getBytesUtf8(apiKey.getSecret());
+                }
+                return Strings.getBytesUtf8(clientApiKey.getSecret());
+            }
+        }).parseClaimsJws(token);
     }
 
     protected abstract TokenTypeHint getTokenTypeHint();

impl/src/main/java/com/stormpath/sdk/impl/oauth/DefaultAccessToken.java

@@ -47,8 +47,7 @@ private void ensureAccessToken() {
         if(isMaterialized()) {
             try {
 
-                ApiKey apiKey = getDataStore().getApiKey();
-                JwsHeader header = AbstractBaseOAuthToken.parseJws(getString(JWT), apiKey).getHeader();
+                JwsHeader header = AbstractBaseOAuthToken.parseJws(getString(JWT), getDataStore()).getHeader();
 
                 String tokenType = (String) header.get("stt");
                 Assert.isTrue(tokenType.equals("access"));

impl/src/main/java/com/stormpath/sdk/impl/oauth/DefaultGrantAuthenticationToken.java

@@ -88,7 +88,7 @@ public RefreshToken getAsRefreshToken() {
             return null;
         }
 
-        Jws<Claims> jws = AbstractBaseOAuthToken.parseJws(refreshToken, getDataStore().getApiKey());
+        Jws<Claims> jws = AbstractBaseOAuthToken.parseJws(refreshToken, getDataStore());
         Map<String, Object> props = new LinkedHashMap<String, Object>(1);
         String refreshTokenID = jws.getBody().getId();
         props.put("href", getDataStore().getBaseUrl() + "/refreshTokens/" + refreshTokenID);