Changeset 18650 in josm for trunk/src/org/openstreetmap/josm/data/oauth

Timestamp:

2023-02-08T18:31:58+01:00 (3 years ago)

Author:

taylor.smock

Message:

Fix #20768: Add OAuth 2.0 support

This also fixes #21607: authentication buttons are unavailable when credentials
are set.

Location:

trunk/src/org/openstreetmap/josm/data/oauth

Files:

• IOAuthAuthorization.java (added)
• IOAuthParameters.java (added)
• IOAuthToken.java (added)
• OAuth20Authorization.java (added)
• OAuth20Exception.java (added)
• OAuth20Parameters.java (added)
• OAuth20Token.java (added)
• OAuthAccessTokenHolder.java (modified) (5 diffs)
• OAuthException.java (added)
• OAuthParameters.java (modified) (7 diffs)
• OAuthVersion.java (added)
• osm (added)
• osm/OsmScopes.java (added)
• osm/package-info.java (added)

trunk/src/org/openstreetmap/josm/data/oauth/OAuthAccessTokenHolder.java

@@ -4 +4 @@
 import static org.openstreetmap.josm.tools.I18n.tr;
 
+import java.net.URI;
+import java.util.EnumMap;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Optional;
+
 import org.openstreetmap.josm.io.auth.CredentialsAgent;
 import org.openstreetmap.josm.io.auth.CredentialsAgentException;
+import org.openstreetmap.josm.io.auth.CredentialsManager;
 import org.openstreetmap.josm.spi.preferences.Config;
 import org.openstreetmap.josm.tools.CheckParameterUtil;
@@ -32 +40 @@
     private String accessTokenSecret;
 
+    private final Map<String, Map<OAuthVersion, IOAuthToken>> tokenMap = new HashMap<>();
+
     /**
      * Replies true if current access token should be saved to the preferences file.
@@ -101 +111 @@
             return null;
         return new OAuthToken(accessTokenKey, accessTokenSecret);
+    }
+
+    /**
+     * Replies the access token.
+     * @param api The api the token is for
+     * @param version The OAuth version the token is for
+     * @return the access token, can be {@code null}
+     * @since 18650
+     */
+    public IOAuthToken getAccessToken(String api, OAuthVersion version) {
+        api = URI.create(api).getHost();
+        if (this.tokenMap.containsKey(api)) {
+            Map<OAuthVersion, IOAuthToken> map = this.tokenMap.get(api);
+            return map.get(version);
+        }
+        try {
+            IOAuthToken token = CredentialsManager.getInstance().lookupOAuthAccessToken(api);
+            // We *do* want to set the API token to null, if it doesn't exist. Just to avoid unnecessary lookups.
+            this.setAccessToken(api, token);
+            return token;
+        } catch (CredentialsAgentException exception) {
+            Logging.trace(exception);
+        }
+        return null;
     }
 
@@ -126 +160 @@
             this.accessTokenKey = token.getKey();
             this.accessTokenSecret = token.getSecret();
+        }
+    }
+
+    /**
+     * Sets the access token hold by this holder.
+     *
+     * @param api The api the token is for
+     * @param token the access token. Can be null to clear the content in this holder.
+     * @since 18650
+     */
+    public void setAccessToken(String api, IOAuthToken token) {
+        Objects.requireNonNull(api, "api url");
+        // Sometimes the api might be sent as the host
+        api = Optional.ofNullable(URI.create(api).getHost()).orElse(api);
+        if (token == null) {
+            if (this.tokenMap.containsKey(api)) {
+                this.tokenMap.get(api).clear();
+            }
+        } else {
+            this.tokenMap.computeIfAbsent(api, key -> new EnumMap<>(OAuthVersion.class)).put(token.getOAuthType(), token);
         }
     }
@@ -176 +230 @@
             if (!saveToPreferences) {
                 cm.storeOAuthAccessToken(null);
+                for (String host : this.tokenMap.keySet()) {
+                    cm.storeOAuthAccessToken(host, null);
+                }
             } else {
-                cm.storeOAuthAccessToken(new OAuthToken(accessTokenKey, accessTokenSecret));
+                if (this.accessTokenKey != null && this.accessTokenSecret != null) {
+                    cm.storeOAuthAccessToken(new OAuthToken(accessTokenKey, accessTokenSecret));
+                }
+                for (Map.Entry<String, Map<OAuthVersion, IOAuthToken>> entry : this.tokenMap.entrySet()) {
+                    if (entry.getValue().isEmpty()) {
+                        cm.storeOAuthAccessToken(entry.getKey(), null);
+                        continue;
+                    }
+                    for (OAuthVersion version : OAuthVersion.values()) {
+                        if (entry.getValue().containsKey(version)) {
+                            cm.storeOAuthAccessToken(entry.getKey(), entry.getValue().get(version));
+                        }
+                    }
+                }
             }
         } catch (CredentialsAgentException e) {

trunk/src/org/openstreetmap/josm/data/oauth/OAuthParameters.java

@@ -2 +2 @@
 package org.openstreetmap.josm.data.oauth;
 
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.net.URL;
 import java.util.Objects;
 
+import javax.json.Json;
+import javax.json.JsonObject;
+import javax.json.JsonReader;
+import javax.json.JsonStructure;
+import javax.json.JsonValue;
+
+import org.openstreetmap.josm.io.OsmApi;
+import org.openstreetmap.josm.io.auth.CredentialsAgentException;
+import org.openstreetmap.josm.io.auth.CredentialsManager;
 import org.openstreetmap.josm.spi.preferences.Config;
 import org.openstreetmap.josm.spi.preferences.IUrls;
 import org.openstreetmap.josm.tools.CheckParameterUtil;
+import org.openstreetmap.josm.tools.HttpClient;
+import org.openstreetmap.josm.tools.Logging;
 import org.openstreetmap.josm.tools.Utils;
 
@@ -16 +30 @@
  * @since 2747
  */
-public class OAuthParameters {
+public class OAuthParameters implements IOAuthParameters {
 
     /**
@@ -47 +61 @@
      */
     public static OAuthParameters createDefault(String apiUrl) {
+        return (OAuthParameters) createDefault(apiUrl, OAuthVersion.OAuth10a);
+    }
+
+    /**
+     * Replies a set of default parameters for a consumer accessing an OSM server
+     * at the given API url. URL parameters are only set if the URL equals {@link IUrls#getDefaultOsmApiUrl}
+     * or references the domain "dev.openstreetmap.org", otherwise they may be <code>null</code>.
+     *
+     * @param apiUrl The API URL for which the OAuth default parameters are created. If null or empty, the default OSM API url is used.
+     * @param oAuthVersion The OAuth version to create default parameters for
+     * @return a set of default parameters for the given {@code apiUrl}
+     * @since 18650
+     */
+    public static IOAuthParameters createDefault(String apiUrl, OAuthVersion oAuthVersion) {
+        if (!Utils.isValidUrl(apiUrl)) {
+            apiUrl = null;
+        }
+
+        switch (oAuthVersion) {
+            case OAuth10a:
+                return getDefaultOAuth10Parameters(apiUrl);
+            case OAuth20:
+            case OAuth21: // For now, OAuth 2.1 (draft) is just OAuth 2.0 with mandatory extensions, which we implement.
+                return getDefaultOAuth20Parameters(apiUrl);
+            default:
+                throw new IllegalArgumentException("Unknown OAuth version: " + oAuthVersion);
+        }
+    }
+
+    /**
+     * Get the default OAuth 2.0 parameters
+     * @param apiUrl The API url
+     * @return The default parameters
+     */
+    private static OAuth20Parameters getDefaultOAuth20Parameters(String apiUrl) {
+        final String clientId;
+        final String clientSecret;
+        final String redirectUri;
+        final String baseUrl;
+        if (apiUrl != null && !Config.getUrls().getDefaultOsmApiUrl().equals(apiUrl)) {
+            clientId = "";
+            clientSecret = "";
+            baseUrl = apiUrl;
+            HttpClient client = null;
+            redirectUri = "";
+            // Check if the server is RFC 8414 compliant
+            try {
+                client = HttpClient.create(new URL(apiUrl + (apiUrl.endsWith("/") ? "" : "/") + ".well-known/oauth-authorization-server"));
+                HttpClient.Response response = client.connect();
+                if (response.getResponseCode() == 200) {
+                    try (BufferedReader reader = response.getContentReader();
+                         JsonReader jsonReader = Json.createReader(reader)) {
+                        JsonStructure structure = jsonReader.read();
+                        if (structure.getValueType() == JsonValue.ValueType.OBJECT) {
+                            return parseAuthorizationServerMetadataResponse(clientId, clientSecret, apiUrl,
+                                    redirectUri, structure.asJsonObject());
+                        }
+                    }
+                }
+            } catch (IOException | OAuthException e) {
+                Logging.trace(e);
+            } finally {
+                if (client != null) client.disconnect();
+            }
+        } else {
+            clientId = "edPII614Lm0_0zEpc_QzEltA9BUll93-Y-ugRQUoHMI";
+            // We don't actually use the client secret in our authorization flow.
+            clientSecret = null;
+            baseUrl = "https://www.openstreetmap.org/oauth2";
+            redirectUri = "http://127.0.0.1:8111/oauth_authorization";
+            apiUrl = OsmApi.getOsmApi().getBaseUrl();
+        }
+        return new OAuth20Parameters(clientId, clientSecret, baseUrl, apiUrl, redirectUri);
+    }
+
+    /**
+     * Parse the response from <a href="https://www.rfc-editor.org/rfc/rfc8414.html">RFC 8414</a>
+     * (OAuth 2.0 Authorization Server Metadata)
+     * @return The parameters for the server metadata
+     */
+    private static OAuth20Parameters parseAuthorizationServerMetadataResponse(String clientId, String clientSecret,
+                                                                              String apiUrl, String redirectUri,
+                                                                              JsonObject serverMetadata)
+            throws OAuthException {
+        final String authorizationEndpoint = serverMetadata.getString("authorization_endpoint", null);
+        final String tokenEndpoint = serverMetadata.getString("token_endpoint", null);
+        // This may also have additional documentation like what the endpoints allow (e.g. scopes, algorithms, etc.)
+        if (authorizationEndpoint == null || tokenEndpoint == null) {
+            throw new OAuth20Exception("Either token endpoint or authorization endpoints are missing");
+        }
+        return new OAuth20Parameters(clientId, clientSecret, tokenEndpoint, authorizationEndpoint, apiUrl, redirectUri);
+    }
+
+    /**
+     * Get the default OAuth 1.0a parameters
+     * @param apiUrl The api url
+     * @return The default parameters
+     */
+    private static OAuthParameters getDefaultOAuth10Parameters(String apiUrl) {
         final String consumerKey;
         final String consumerSecret;
         final String serverUrl;
-
-        if (!Utils.isValidUrl(apiUrl)) {
-            apiUrl = null;
-        }
 
         if (apiUrl != null && !Config.getUrls().getDefaultOsmApiUrl().equals(apiUrl)) {
@@ -82 +191 @@
      */
     public static OAuthParameters createFromApiUrl(String apiUrl) {
-        OAuthParameters parameters = createDefault(apiUrl);
-        return new OAuthParameters(
-                Config.getPref().get("oauth.settings.consumer-key", parameters.getConsumerKey()),
-                Config.getPref().get("oauth.settings.consumer-secret", parameters.getConsumerSecret()),
-                Config.getPref().get("oauth.settings.request-token-url", parameters.getRequestTokenUrl()),
-                Config.getPref().get("oauth.settings.access-token-url", parameters.getAccessTokenUrl()),
-                Config.getPref().get("oauth.settings.authorise-url", parameters.getAuthoriseUrl()),
-                Config.getPref().get("oauth.settings.osm-login-url", parameters.getOsmLoginUrl()),
-                Config.getPref().get("oauth.settings.osm-logout-url", parameters.getOsmLogoutUrl()));
+        return (OAuthParameters) createFromApiUrl(apiUrl, OAuthVersion.OAuth10a);
+    }
+
+    /**
+     * Replies a set of parameters as defined in the preferences.
+     *
+     * @param oAuthVersion The OAuth version to use.
+     * @param apiUrl the API URL. Must not be {@code null}.
+     * @return the parameters
+     * @since 18650
+     */
+    public static IOAuthParameters createFromApiUrl(String apiUrl, OAuthVersion oAuthVersion) {
+        IOAuthParameters parameters = createDefault(apiUrl, oAuthVersion);
+        switch (oAuthVersion) {
+            case OAuth10a:
+                OAuthParameters oauth10aParameters = (OAuthParameters) parameters;
+                return new OAuthParameters(
+                    Config.getPref().get("oauth.settings.consumer-key", oauth10aParameters.getConsumerKey()),
+                    Config.getPref().get("oauth.settings.consumer-secret", oauth10aParameters.getConsumerSecret()),
+                    Config.getPref().get("oauth.settings.request-token-url", oauth10aParameters.getRequestTokenUrl()),
+                    Config.getPref().get("oauth.settings.access-token-url", oauth10aParameters.getAccessTokenUrl()),
+                    Config.getPref().get("oauth.settings.authorise-url", oauth10aParameters.getAuthoriseUrl()),
+                    Config.getPref().get("oauth.settings.osm-login-url", oauth10aParameters.getOsmLoginUrl()),
+                    Config.getPref().get("oauth.settings.osm-logout-url", oauth10aParameters.getOsmLogoutUrl()));
+            case OAuth20:
+            case OAuth21: // Right now, OAuth 2.1 will work with our OAuth 2.0 implementation
+                OAuth20Parameters oAuth20Parameters = (OAuth20Parameters) parameters;
+                try {
+                    IOAuthToken storedToken = CredentialsManager.getInstance().lookupOAuthAccessToken(apiUrl);
+                    return storedToken != null ? storedToken.getParameters() : oAuth20Parameters;
+                } catch (CredentialsAgentException e) {
+                    Logging.trace(e);
+                }
+                return oAuth20Parameters;
+            default:
+                throw new IllegalArgumentException("Unknown OAuth version: " + oAuthVersion);
+        }
     }
 
@@ -96 +233 @@
      * Remembers the current values in the preferences.
      */
+    @Override
     public void rememberPreferences() {
         Config.getPref().put("oauth.settings.consumer-key", getConsumerKey());
@@ -183 +321 @@
      * @return The access token URL
      */
+    @Override
     public String getAccessTokenUrl() {
         return accessTokenUrl;
     }
 
+    @Override
+    public String getAuthorizationUrl() {
+        return this.authoriseUrl;
+    }
+
+    @Override
+    public OAuthVersion getOAuthVersion() {
+        return OAuthVersion.OAuth10a;
+    }
+
+    @Override
+    public String getClientId() {
+        return this.consumerKey;
+    }
+
+    @Override
+    public String getClientSecret() {
+        return this.consumerSecret;
+    }
+
     /**
      * Gets the authorise URL.
@@ -192 +351 @@
      */
     public String getAuthoriseUrl() {
-        return authoriseUrl;
+        return this.getAuthorizationUrl();
     }