Merge pull request #6837 from ORCID/RedisClient

Add Redis cache to store the tokens

Author: amontenegro

orcid-api-common/src/main/java/org/orcid/api/common/oauth/OrcidClientCredentialEndPointDelegator.java

@@ -9,4 +9,8 @@
 public interface OrcidClientCredentialEndPointDelegator {
 
     Response obtainOauth2Token(String authorization, MultivaluedMap<String, String> formParams);
+    
+    void setTokenCacheEnabled(boolean enabled);
+    
+    boolean isTokenCacheEnabled();
 }

orcid-api-common/src/main/java/org/orcid/api/common/oauth/OrcidClientCredentialEndPointDelegatorImpl.java

@@ -16,8 +16,11 @@
 import org.orcid.core.constants.OrcidOauth2Constants;
 import org.orcid.core.exception.OrcidInvalidScopeException;
 import org.orcid.core.locale.LocaleManager;
+import org.orcid.core.manager.EncryptionManager;
 import org.orcid.core.oauth.OAuthError;
 import org.orcid.core.oauth.OAuthErrorUtils;
+import org.orcid.core.utils.JsonUtils;
+import org.orcid.core.utils.cache.redis.RedisClient;
 import org.orcid.jaxb.model.message.ScopePathType;
 import org.orcid.persistence.dao.OrcidOauth2AuthoriziationCodeDetailDao;
 import org.orcid.persistence.dao.ProfileLastModifiedDao;
@@ -26,6 +29,7 @@
 import org.orcid.pojo.ajaxForm.PojoUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.authentication.InsufficientAuthenticationException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -57,6 +61,15 @@ public class OrcidClientCredentialEndPointDelegatorImpl extends AbstractEndpoint
     @Resource(name="profileLastModifiedDao")
     private ProfileLastModifiedDao profileLastModifiedDao;
 
+    @Resource
+    private RedisClient redisClient;
+    
+    @Resource
+    private EncryptionManager encryptionManager;
+    
+    @Value("${org.orcid.core.utils.cache.redis.enabled:true}") 
+    private boolean isTokenCacheEnabled;
+    
     @Transactional
     public Response obtainOauth2Token(String authorization, MultivaluedMap<String, String> formParams) {
         String code = formParams.getFirst("code");
@@ -152,12 +165,39 @@ public Response obtainOauth2Token(String authorization, MultivaluedMap<String, S
                     }                    
                 }                
             }
+            
+            removeMetadataFromToken(token);
+            setToCache(client.getName(), token);
             return getResponse(token);
         } catch (InvalidGrantException e){ //this needs to be caught here so the transaction doesn't roll back
             OAuthError error = OAuthErrorUtils.getOAuthError(e);
             return Response.status(error.getResponseStatus().getStatusCode()).entity(error).build();
         }
     }
+    
+    /**
+     * Set the access token in the cache
+     * */
+    protected void setToCache(String clientId, OAuth2AccessToken accessToken) {
+        if(isTokenCacheEnabled) {
+            try {
+                String tokenValue = accessToken.getValue();
+                Map<String, String> tokenData = new HashMap<String, String>();
+                tokenData.put(OrcidOauth2Constants.ACCESS_TOKEN, tokenValue);
+                tokenData.put(OrcidOauth2Constants.TOKEN_EXPIRATION_TIME, String.valueOf(accessToken.getExpiration().getTime()));
+                StringBuilder sb = new StringBuilder();
+                accessToken.getScope().forEach(x -> {sb.append(x); sb.append(' ');});
+                tokenData.put(OrcidOauth2Constants.SCOPE_PARAM, sb.toString());
+                tokenData.put(OrcidOauth2Constants.ORCID, (String) accessToken.getAdditionalInformation().get(OrcidOauth2Constants.ORCID));
+                tokenData.put(OrcidOauth2Constants.CLIENT_ID, clientId);
+                tokenData.put(OrcidOauth2Constants.RESOURCE_IDS, OrcidOauth2Constants.ORCID);
+                tokenData.put(OrcidOauth2Constants.APPROVED, Boolean.TRUE.toString());
+                redisClient.set(tokenValue, JsonUtils.convertToJsonString(tokenData));
+            } catch(Exception e) {
+                LOGGER.info("Unable to set token in Redis cache", e);
+            }
+        }
+    }
 
     /**
      * Calculates the real value of the "expires_in" param based on the current time
@@ -261,7 +301,7 @@ protected OAuth2AccessToken generateToken(Authentication client, Set<String> sco
         return token;
     }
 
-    protected Response getResponse(OAuth2AccessToken accessToken) {
+    protected void removeMetadataFromToken(OAuth2AccessToken accessToken) {
         if(accessToken != null && accessToken.getAdditionalInformation() != null) {
             if(accessToken.getAdditionalInformation().containsKey(OrcidOauth2Constants.TOKEN_VERSION))
                 accessToken.getAdditionalInformation().remove(OrcidOauth2Constants.TOKEN_VERSION);
@@ -271,8 +311,10 @@ protected Response getResponse(OAuth2AccessToken accessToken) {
                 accessToken.getAdditionalInformation().remove(OrcidOauth2Constants.DATE_CREATED);
             if(accessToken.getAdditionalInformation().containsKey(OrcidOauth2Constants.TOKEN_ID))
                 accessToken.getAdditionalInformation().remove(OrcidOauth2Constants.TOKEN_ID);
-        }        
-        
+        }
+    }
+    
+    protected Response getResponse(OAuth2AccessToken accessToken) {                        
         return Response.ok((DefaultOAuth2AccessToken)accessToken).header("Cache-Control", "no-store").header("Pragma", "no-cache").build();
     }
 
@@ -286,4 +328,12 @@ protected Authentication getClientAuthentication() {
 
     }
 
+    public boolean isTokenCacheEnabled() {
+        return isTokenCacheEnabled;
+    }
+
+    public void setTokenCacheEnabled(boolean isTokenCacheEnabled) {
+        this.isTokenCacheEnabled = isTokenCacheEnabled;
+    }
+
 }

orcid-api-common/src/main/resources/orcid-oauth2-api-common-config.xml

@@ -123,5 +123,13 @@
 				<ref bean="orcidImplicitTokenGranter" />
 			</list>
 		</constructor-arg>
-	</bean>		
+	</bean>
+	
+	<!-- Redis cache -->
+	<bean id="redisClient" class="org.orcid.core.utils.cache.redis.RedisClient">
+		<constructor-arg index="0" value="${org.orcid.core.utils.cache.redis.host}"/>
+		<constructor-arg index="1" value="${org.orcid.core.utils.cache.redis.port}" />
+		<constructor-arg index="2" value="${org.orcid.core.utils.cache.redis.password}" />
+		<constructor-arg index="3" value="${org.orcid.core.utils.cache.redis.expiration_in_secs:600}" />
+	</bean>
 </beans>

orcid-api-common/src/test/java/org/orcid/api/common/oauth/OrcidClientCredentialEndPointDelegatorTest.java

@@ -4,11 +4,14 @@
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
+import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 
 import java.util.Arrays;
+import java.util.HashMap;
 import java.util.HashSet;
+import java.util.Map;
 
 import javax.annotation.Resource;
 import javax.ws.rs.core.MultivaluedMap;
@@ -23,8 +26,11 @@
 import org.mockito.Mock;
 import org.mockito.Mockito;
 import org.mockito.MockitoAnnotations;
+import org.orcid.core.constants.OrcidOauth2Constants;
 import org.orcid.core.oauth.openid.OpenIDConnectKeyService;
+import org.orcid.core.utils.JsonUtils;
 import org.orcid.core.utils.SecurityContextTestUtils;
+import org.orcid.core.utils.cache.redis.RedisClient;
 import org.orcid.jaxb.model.message.ScopePathType;
 import org.orcid.persistence.dao.OrcidOauth2AuthoriziationCodeDetailDao;
 import org.orcid.persistence.dao.ProfileLastModifiedDao;
@@ -64,6 +70,9 @@ public class OrcidClientCredentialEndPointDelegatorTest extends DBUnitTest {
     @Mock
     private ProfileLastModifiedDao profileLastModifiedDaoMock;
 
+    @Mock
+    private RedisClient redisClientMock;
+    
     @Resource
     private ProfileLastModifiedDao profileLastModifiedDao;
 
@@ -77,6 +86,9 @@ public static void initDBUnitData() throws Exception {
     public void before() {
         MockitoAnnotations.initMocks(this);
         TargetProxyHelper.injectIntoProxy(orcidClientCredentialEndPointDelegator, "profileLastModifiedDao", profileLastModifiedDaoMock);
+        TargetProxyHelper.injectIntoProxy(orcidClientCredentialEndPointDelegator, "redisClient", redisClientMock);
+        // Keep the cache disabled
+        orcidClientCredentialEndPointDelegator.setTokenCacheEnabled(false);
     }
 
     @AfterClass
@@ -268,4 +280,66 @@ public void generateRefreshTokenThatExpireAfterParentTokenTest() {
         assertTrue(token.getExpiration().getTime() > refreshToken.getExpiration().getTime());
     }
 
+    @Test
+    public void obtainOauth2TokenSetCacheTest() {
+        // Enable cache
+        orcidClientCredentialEndPointDelegator.setTokenCacheEnabled(true);
+        SecurityContextTestUtils.setUpSecurityContextForClientOnly(CLIENT_ID_1, ScopePathType.ACTIVITIES_UPDATE, ScopePathType.READ_LIMITED);
+        OrcidOauth2AuthoriziationCodeDetail authCode = createAuthorizationCode("code-1", CLIENT_ID_1, "http://www.APP-5555555555555555.com/redirect/oauth", true,
+                "/activities/update");
+        MultivaluedMap<String, String> formParams = new MultivaluedHashMap<String, String>();
+        formParams.add("client_id", CLIENT_ID_1);
+        formParams.add("client_secret", "DhkFj5EI0qp6GsUKi55Vja+h+bsaKpBx");
+        formParams.add("grant_type", "authorization_code");
+        formParams.add("redirect_uri", "http://www.APP-5555555555555555.com/redirect/oauth");
+        formParams.add("code", authCode.getId());
+        Response response = orcidClientCredentialEndPointDelegator.obtainOauth2Token(null, formParams);
+        assertNotNull(response);
+        assertNotNull(response.getEntity());
+        DefaultOAuth2AccessToken token = (DefaultOAuth2AccessToken) response.getEntity();
+        assertNotNull(token);
+        assertTrue(!PojoUtil.isEmpty(token.getValue()));
+        
+        String tokenValue = token.getValue();
+        
+        
+        Map<String, String> tokenData = new HashMap<String, String>();
+        tokenData.put(OrcidOauth2Constants.ACCESS_TOKEN, tokenValue);
+        tokenData.put(OrcidOauth2Constants.TOKEN_EXPIRATION_TIME, String.valueOf(token.getExpiration().getTime()));
+        StringBuilder sb = new StringBuilder();
+        token.getScope().forEach(x -> {sb.append(x); sb.append(' ');});
+        tokenData.put(OrcidOauth2Constants.SCOPE_PARAM, sb.toString());
+        tokenData.put(OrcidOauth2Constants.ORCID, (String) token.getAdditionalInformation().get(OrcidOauth2Constants.ORCID));
+        tokenData.put(OrcidOauth2Constants.CLIENT_ID, CLIENT_ID_1);
+        tokenData.put(OrcidOauth2Constants.RESOURCE_IDS, OrcidOauth2Constants.ORCID);
+        tokenData.put(OrcidOauth2Constants.APPROVED, Boolean.TRUE.toString());
+        
+        String tokenDataString = JsonUtils.convertToJsonString(tokenData);
+        
+        verify(redisClientMock, times(1)).set(Mockito.eq(tokenValue), Mockito.eq(tokenDataString));        
+    }
+    
+    @Test
+    public void obtainOauth2TokenSkipCacheTest() {
+        // Ensure cache is disabled
+        orcidClientCredentialEndPointDelegator.setTokenCacheEnabled(false);
+        
+        SecurityContextTestUtils.setUpSecurityContextForClientOnly(CLIENT_ID_1, ScopePathType.ACTIVITIES_UPDATE, ScopePathType.READ_LIMITED);
+        OrcidOauth2AuthoriziationCodeDetail authCode = createAuthorizationCode("code-1", CLIENT_ID_1, "http://www.APP-5555555555555555.com/redirect/oauth", true,
+                "/activities/update");
+        MultivaluedMap<String, String> formParams = new MultivaluedHashMap<String, String>();
+        formParams.add("client_id", CLIENT_ID_1);
+        formParams.add("client_secret", "DhkFj5EI0qp6GsUKi55Vja+h+bsaKpBx");
+        formParams.add("grant_type", "authorization_code");
+        formParams.add("redirect_uri", "http://www.APP-5555555555555555.com/redirect/oauth");
+        formParams.add("code", authCode.getId());
+        Response response = orcidClientCredentialEndPointDelegator.obtainOauth2Token(null, formParams);
+        assertNotNull(response);
+        assertNotNull(response.getEntity());
+        DefaultOAuth2AccessToken token = (DefaultOAuth2AccessToken) response.getEntity();
+        assertNotNull(token);
+        assertTrue(!PojoUtil.isEmpty(token.getValue()));
+        
+        verify(redisClientMock, never()).set(Mockito.any(), Mockito.any());        
+    }
 }

orcid-core/pom.xml

@@ -39,7 +39,12 @@
         <dependency>
             <groupId>org.orcid</groupId>
             <artifactId>orcid-model</artifactId>
-        </dependency>        
+        </dependency>
+        <dependency>
+            <groupId>${project.parent.groupId}</groupId>
+            <artifactId>orcid-utils</artifactId>
+            <version>${project.parent.version}</version>
+        </dependency>  
 
         <!-- Internal test only -->
         <dependency>
@@ -322,7 +327,12 @@
 		    <groupId>javax.ws.rs</groupId>
 		    <artifactId>javax.ws.rs-api</artifactId>		    
 		</dependency>
-        
+		<!-- https://mvnrepository.com/artifact/redis.clients/jedis -->
+		<dependency>
+		    <groupId>redis.clients</groupId>
+		    <artifactId>jedis</artifactId>
+		    <version>4.4.3</version>
+		</dependency>
     </dependencies>
     <build>
         <plugins>

orcid-core/src/main/java/org/orcid/core/constants/OrcidOauth2Constants.java

@@ -26,6 +26,7 @@ public class OrcidOauth2Constants {
     public static final String EXPIRES_IN = "expires_in";
     public static final String TOKEN_ID = "tokenId";
     public static final String ORIGINAL_AUTHORIZATION_REQUEST = "org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.ORIGINAL_AUTHORIZATION_REQUEST";
+    public static final String TOKEN_EXPIRATION_TIME = "token_expiration_time";
 
     public static final String APPROVED = "approved";
     public static final String RESOURCE_IDS = "resourceIds";

orcid-core/src/main/java/org/orcid/core/manager/impl/EncryptionManagerImpl.java

@@ -108,14 +108,14 @@ public String encryptForExternalUse(String stringToEncrypt) {
         return externalEncryptor.encrypt(stringToEncrypt);
     }
 
-	@Override
-	public String decryptForExternalUse(String stringToDecrypt) {
-		try {
-			return externalEncryptor.decrypt(stringToDecrypt);
-		} catch (EncryptionOperationNotPossibleException e) {
-			return decryptForLegacyExternalUse(stringToDecrypt);
-		}
-	}
+    @Override
+    public String decryptForExternalUse(String stringToDecrypt) {
+        try {
+            return externalEncryptor.decrypt(stringToDecrypt);
+        } catch (EncryptionOperationNotPossibleException e) {
+            return decryptForLegacyExternalUse(stringToDecrypt);
+        }
+    }
 
     @Override
     @Deprecated
@@ -225,14 +225,14 @@ public String getEmailHash(String email) {
         }
     }
 
-	@Override
-	public boolean matches(CharSequence rawPass, String encPass) {
-	        LOGGER.debug("About to start password check");
-	        StopWatch stopWatch = new StopWatch();
-	        stopWatch.start();
-	        boolean result = hashMatches(rawPass.toString(), encPass);
-	        stopWatch.stop();
-	        LOGGER.debug("Password check took {} ms", stopWatch.getTime());
-	        return result;
-	    } 
+    @Override
+    public boolean matches(CharSequence rawPass, String encPass) {
+        LOGGER.debug("About to start password check");
+        StopWatch stopWatch = new StopWatch();
+        stopWatch.start();
+        boolean result = hashMatches(rawPass.toString(), encPass);
+        stopWatch.stop();
+        LOGGER.debug("Password check took {} ms", stopWatch.getTime());
+        return result;
+    }
 }