ARC-1222: Bootstrap Relying Party OIDC Server (#8)

* ARC-1222: Basic working OIDC server

* ARC-1222: Test coverage

Author: thomasrichner-oviva

.gitignore

@@ -3,4 +3,5 @@ target/
 gesundheitsid/env.properties
 *.iml
 gesundheitsid/dependency-reduced-pom.xml
+.flattened-pom.xml
 *_jwks.json

gesundheitsid/src/main/java/com/oviva/gesundheitsid/util/JoseModule.java

@@ -0,0 +1,17 @@
+package com.oviva.gesundheitsid.util;
+
+import com.fasterxml.jackson.databind.module.SimpleModule;
+import com.fasterxml.jackson.databind.ser.std.StdDelegatingSerializer;
+import com.nimbusds.jose.jwk.JWK;
+import com.nimbusds.jose.jwk.JWKSet;
+import com.oviva.gesundheitsid.util.JWKSetDeserializer.JWKDeserializer;
+
+public class JoseModule extends SimpleModule {
+
+  public JoseModule() {
+    super("jose");
+    addDeserializer(JWK.class, new JWKDeserializer(JWK.class));
+    addDeserializer(JWKSet.class, new JWKSetDeserializer(JWKSet.class));
+    addSerializer(new StdDelegatingSerializer(JWKSet.class, new JWKSetConverter()));
+  }
+}

gesundheitsid/src/main/java/com/oviva/gesundheitsid/util/JsonCodec.java

@@ -3,11 +3,6 @@
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import com.fasterxml.jackson.databind.module.SimpleModule;
-import com.fasterxml.jackson.databind.ser.std.StdDelegatingSerializer;
-import com.nimbusds.jose.jwk.JWK;
-import com.nimbusds.jose.jwk.JWKSet;
-import com.oviva.gesundheitsid.util.JWKSetDeserializer.JWKDeserializer;
 import java.io.IOException;
 
 public class JsonCodec {
@@ -17,11 +12,7 @@ public class JsonCodec {
   static {
     var om = new ObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
 
-    var mod = new SimpleModule("jwks");
-    mod.addDeserializer(JWK.class, new JWKDeserializer(JWK.class));
-    mod.addDeserializer(JWKSet.class, new JWKSetDeserializer(JWKSet.class));
-    mod.addSerializer(new StdDelegatingSerializer(JWKSet.class, new JWKSetConverter()));
-    om.registerModule(mod);
+    om.registerModule(new JoseModule());
 
     JsonCodec.om = om;
   }

oidc-server/pom.xml

@@ -10,10 +10,15 @@
     <version>0.0.1-SNAPSHOT</version>
   </parent>
 
-  <artifactId>gesundheitsid</artifactId>
+  <artifactId>oidc-server</artifactId>
   <packaging>jar</packaging>
 
   <dependencies>
+    <dependency>
+      <groupId>com.oviva.gesundheitsid</groupId>
+      <artifactId>gesundheitsid</artifactId>
+      <version>${project.version}</version>
+    </dependency>
     <dependency>
       <groupId>org.slf4j</groupId>
       <artifactId>slf4j-api</artifactId>
@@ -42,6 +47,39 @@
       <groupId>jakarta.ws.rs</groupId>
       <artifactId>jakarta.ws.rs-api</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.jboss.resteasy</groupId>
+      <artifactId>resteasy-core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.jboss.resteasy</groupId>
+      <artifactId>resteasy-undertow</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.jakarta.rs</groupId>
+      <artifactId>jackson-jakarta-rs-json-provider</artifactId>
+    </dependency>
+
+    <!-- BEGIN logging-->
+    <dependency>
+      <groupId>ch.qos.logback</groupId>
+      <artifactId>logback-classic</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>ch.qos.logback.contrib</groupId>
+      <artifactId>logback-json-classic</artifactId>
+      <exclusions>
+        <exclusion>
+          <groupId>ch.qos.logback</groupId>
+          <artifactId>logback-core</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+    <dependency>
+      <groupId>ch.qos.logback.contrib</groupId>
+      <artifactId>logback-jackson</artifactId>
+    </dependency>
+    <!-- END logging-->
 
     <dependency>
       <groupId>org.junit.jupiter</groupId>
@@ -104,12 +142,6 @@
       <scope>test</scope>
     </dependency>
 
-    <dependency>
-      <groupId>org.jboss.resteasy</groupId>
-      <artifactId>resteasy-core</artifactId>
-      <scope>test</scope>
-    </dependency>
-
   </dependencies>
 
 </project>

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/Main.java

@@ -0,0 +1,81 @@
+package com.oviva.gesundheitsid.relyingparty;
+
+import com.oviva.gesundheitsid.relyingparty.cfg.Config;
+import com.oviva.gesundheitsid.relyingparty.cfg.ConfigProvider;
+import com.oviva.gesundheitsid.relyingparty.cfg.EnvConfigProvider;
+import com.oviva.gesundheitsid.relyingparty.svc.InMemoryCodeRepo;
+import com.oviva.gesundheitsid.relyingparty.svc.InMemorySessionRepo;
+import com.oviva.gesundheitsid.relyingparty.svc.KeyStore;
+import com.oviva.gesundheitsid.relyingparty.svc.TokenIssuerImpl;
+import com.oviva.gesundheitsid.relyingparty.ws.App;
+import jakarta.ws.rs.SeBootstrap;
+import jakarta.ws.rs.SeBootstrap.Configuration;
+import java.net.URI;
+import java.util.List;
+import java.util.concurrent.ExecutionException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class Main {
+
+  private static final Logger logger = LoggerFactory.getLogger(Main.class);
+
+  private static final String BANNER =
+      """
+          ____       _
+         / __ \\_  __(_)  _____ _
+        / /_/ / |/ / / |/ / _ `/
+        \\____/|___/_/|___/\\_,_/
+             GesundheitsID OpenID Connect Relying-Party
+        """;
+
+  public static void main(String[] args) throws ExecutionException, InterruptedException {
+
+    var main = new Main();
+    main.run(new EnvConfigProvider("OIDC_SERVER", System::getenv));
+  }
+
+  public void run(ConfigProvider configProvider) throws ExecutionException, InterruptedException {
+    logger.atInfo().log("\n" + BANNER);
+
+    var baseUri = URI.create("https://t.oviva.io");
+    var validRedirectUris =
+        List.of(URI.create("https://idp-test.oviva.io/auth/realms/master/broker/oidc/endpoint"));
+
+    var supportedResponseTypes = List.of("code");
+
+    var port =
+        configProvider.get("port").stream().mapToInt(Integer::parseInt).findFirst().orElse(1234);
+    var config =
+        new Config(
+            port,
+            baseUri, // TOOD: hardcoded :)
+            // configProvider.get("base_uri").map(URI::create).orElse(URI.create("http://localhost:"
+            // + port)),
+            supportedResponseTypes,
+            validRedirectUris // TODO: hardcoded :)
+
+            //                        configProvider.get("redirect_uris").stream()
+            //                            .flatMap(Strings::mustParseCommaList)
+            //                            .map(URI::create)
+            //                            .toList()
+            );
+
+    var keyStore = new KeyStore();
+    var tokenIssuer = new TokenIssuerImpl(config.baseUri(), keyStore, new InMemoryCodeRepo());
+    var sessionRepo = new InMemorySessionRepo();
+
+    var instance =
+        SeBootstrap.start(
+                new App(config, sessionRepo, keyStore, tokenIssuer),
+                Configuration.builder().host("0.0.0.0").port(config.port()).build())
+            .toCompletableFuture()
+            .get();
+
+    var localUri = instance.configuration().baseUri();
+    logger.atInfo().addKeyValue("local_addr", localUri).log("Magic at {}", config.baseUri());
+
+    // wait forever
+    Thread.currentThread().join();
+  }
+}

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/cfg/Config.java

@@ -0,0 +1,7 @@
+package com.oviva.gesundheitsid.relyingparty.cfg;
+
+import java.net.URI;
+import java.util.List;
+
+public record Config(
+    int port, URI baseUri, List<String> supportedResponseTypes, List<URI> validRedirectUris) {}

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/cfg/ConfigProvider.java

@@ -0,0 +1,7 @@
+package com.oviva.gesundheitsid.relyingparty.cfg;
+
+import java.util.Optional;
+
+public interface ConfigProvider {
+  Optional<String> get(String name);
+}

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/cfg/EnvConfigProvider.java

@@ -0,0 +1,26 @@
+package com.oviva.gesundheitsid.relyingparty.cfg;
+
+import java.util.Locale;
+import java.util.Optional;
+import java.util.function.Function;
+
+public class EnvConfigProvider implements ConfigProvider {
+
+  private final String prefix;
+  private final Function<String, String> getenv;
+
+  public EnvConfigProvider(String prefix, Function<String, String> getenv) {
+    this.prefix = prefix;
+    this.getenv = getenv;
+  }
+
+  @Override
+  public Optional<String> get(String name) {
+
+    var mangled = prefix + "_" + name;
+    mangled = mangled.toUpperCase(Locale.ROOT);
+    mangled = mangled.replaceAll("[^A-Z0-9]", "_");
+
+    return Optional.ofNullable(getenv.apply(mangled));
+  }
+}

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/svc/CodeRepo.java

@@ -0,0 +1,11 @@
+package com.oviva.gesundheitsid.relyingparty.svc;
+
+import com.oviva.gesundheitsid.relyingparty.svc.TokenIssuer.Code;
+import java.util.Optional;
+
+public interface CodeRepo {
+
+  void save(Code code);
+
+  Optional<Code> remove(String code);
+}

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/svc/InMemoryCodeRepo.java

@@ -0,0 +1,23 @@
+package com.oviva.gesundheitsid.relyingparty.svc;
+
+import com.oviva.gesundheitsid.relyingparty.svc.TokenIssuer.Code;
+import edu.umd.cs.findbugs.annotations.NonNull;
+import java.util.Optional;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+
+public class InMemoryCodeRepo implements CodeRepo {
+
+  private final ConcurrentMap<String, Code> store = new ConcurrentHashMap<>();
+
+  @Override
+  public void save(@NonNull Code code) {
+    store.put(code.code(), code);
+  }
+
+  @NonNull
+  @Override
+  public Optional<Code> remove(String code) {
+    return Optional.ofNullable(store.remove(code));
+  }
+}

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/svc/InMemorySessionRepo.java

@@ -0,0 +1,35 @@
+package com.oviva.gesundheitsid.relyingparty.svc;
+
+import com.oviva.gesundheitsid.relyingparty.util.IdGenerator;
+import edu.umd.cs.findbugs.annotations.NonNull;
+import edu.umd.cs.findbugs.annotations.Nullable;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+
+public class InMemorySessionRepo implements SessionRepo {
+
+  private final ConcurrentMap<String, Session> repo = new ConcurrentHashMap<>();
+
+  @Override
+  public String save(@NonNull Session session) {
+    if (session.id() != null) {
+      throw new IllegalStateException(
+          "session already has an ID=%s, already saved?".formatted(session.id()));
+    }
+
+    var id = IdGenerator.generateID();
+    session =
+        new Session(
+            id, session.state(), session.nonce(), session.redirectUri(), session.clientId());
+
+    repo.put(id, session);
+
+    return id;
+  }
+
+  @Nullable
+  @Override
+  public Session load(@NonNull String sessionId) {
+    return repo.get(sessionId);
+  }
+}

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/svc/KeyStore.java

@@ -0,0 +1,29 @@
+package com.oviva.gesundheitsid.relyingparty.svc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.jwk.Curve;
+import com.nimbusds.jose.jwk.ECKey;
+import com.nimbusds.jose.jwk.KeyUse;
+import com.nimbusds.jose.jwk.gen.ECKeyGenerator;
+
+public class KeyStore {
+
+  private final ECKey signingKey;
+
+  public KeyStore() {
+
+    try {
+      this.signingKey =
+          new ECKeyGenerator(Curve.P_256)
+              .keyIDFromThumbprint(false)
+              .keyUse(KeyUse.SIGNATURE)
+              .generate();
+    } catch (JOSEException e) {
+      throw new IllegalStateException("failed to generate EC signing key", e);
+    }
+  }
+
+  public ECKey signingKey() {
+    return signingKey;
+  }
+}

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/svc/SessionRepo.java

@@ -0,0 +1,13 @@
+package com.oviva.gesundheitsid.relyingparty.svc;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import java.net.URI;
+
+public interface SessionRepo {
+
+  String save(@NonNull Session session);
+
+  Session load(@NonNull String sessionId);
+
+  record Session(String id, String state, String nonce, URI redirectUri, String clientId) {}
+}

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/svc/TokenIssuer.java

@@ -0,0 +1,23 @@
+package com.oviva.gesundheitsid.relyingparty.svc;
+
+import com.oviva.gesundheitsid.relyingparty.svc.SessionRepo.Session;
+import edu.umd.cs.findbugs.annotations.NonNull;
+import java.net.URI;
+import java.time.Instant;
+
+public interface TokenIssuer {
+
+  Code issueCode(Session session);
+
+  Token redeem(@NonNull String code, String redirectUri, String clientId);
+
+  record Code(
+      String code,
+      Instant issuedAt,
+      Instant expiresAt,
+      URI redirectUri,
+      String nonce,
+      String clientId) {}
+
+  record Token(String accessToken, String idToken, long expiresInSeconds) {}
+}