Merge branch '7.8'

Author: at055612

.github/workflows/build_and_release.yml

@@ -30,7 +30,7 @@ jobs:
         # Make sure the wrapper jar has not been tampered with
       - name: Validate gradle wrapper jar
         id: validate_gradle_wrapper
-        uses: gradle/actions/wrapper-validation@v3
+        uses: gradle/actions/wrapper-validation@v4
 
         # Set variables in github's special env file which are then automatically 
         # read into env vars in each subsequent step

stroom-config/stroom-config-app/src/main/java/stroom/config/app/SessionConfig.java

@@ -17,7 +17,7 @@ public class SessionConfig extends AbstractConfig implements IsStroomConfig {
 
     public static final String PROP_NAME_MAX_INACTIVE_INTERVAL = "maxInactiveInterval";
 
-    public static final StroomDuration DEFAULT_MAX_INACTIVE_INTERVAL = StroomDuration.ofDays(1);
+    public static final StroomDuration DEFAULT_MAX_INACTIVE_INTERVAL = StroomDuration.ofDays(7);
 
     private final StroomDuration maxInactiveInterval;
 

stroom-config/stroom-config-app/src/test/resources/stroom/config/app/expected.yaml

@@ -780,6 +780,11 @@ appConfig:
         expireAfterWrite: "PT1M"
         maximumSize: 1000
         refreshAfterWrite: null
+      authenticationStateCache:
+        expireAfterAccess: null
+        expireAfterWrite: "PT10M"
+        maximumSize: 1000
+        refreshAfterWrite: null
       maxApiKeyExpiryAge: "P365D"
       openId:
         authEndpoint: null
@@ -939,7 +944,7 @@ appConfig:
       strictTransportSecurity: "max-age=31536000; includeSubDomains; preload"
       xssProtection: "1; mode=block"
   session:
-    maxInactiveInterval: "P1D"
+    maxInactiveInterval: "P7D"
   sessionCookie:
     httpOnly: true
     sameSite: "STRICT"

stroom-core-client/src/main/java/stroom/dispatch/client/RestFactoryImpl.java

@@ -4,11 +4,14 @@
 import stroom.task.client.Task;
 import stroom.task.client.TaskMonitor;
 import stroom.task.client.TaskMonitorFactory;
+import stroom.util.client.Console;
 import stroom.util.shared.GwtNullSafe;
 
 import com.google.gwt.core.client.GWT;
 import com.google.gwt.event.shared.GwtEvent;
 import com.google.gwt.event.shared.HasHandlers;
+import com.google.gwt.http.client.Response;
+import com.google.gwt.user.client.Window.Location;
 import com.google.inject.Inject;
 import com.google.web.bindery.event.shared.EventBus;
 import org.fusesource.restygwt.client.Defaults;
@@ -157,8 +160,19 @@ public TaskExecutorImpl(final HasHandlers hasHandlers,
 
         @Override
         public void exec() {
-            final RestErrorHandler errorHandler = GwtNullSafe
+            final RestErrorHandler innerErrorHandler = GwtNullSafe
                     .requireNonNullElseGet(this.errorHandler, () -> new DefaultErrorHandler(hasHandlers, null));
+            final RestErrorHandler errorHandler = error -> {
+                final int statusCode = GwtNullSafe
+                        .getOrElse(error, RestError::getMethod, Method::getResponse, Response::getStatusCode, -1);
+                if (statusCode == Response.SC_UNAUTHORIZED) {
+                    // Reload as we have been logged out.
+                    Console.log(() -> "Unauthorised request, assuming user session is invalid, reloading...");
+                    Location.reload();
+                } else {
+                    innerErrorHandler.onError(error);
+                }
+            };
             final TaskMonitorFactory taskMonitorFactory = GwtNullSafe
                     .requireNonNullElseGet(this.taskMonitorFactory, () -> new DefaultTaskMonitorFactory(hasHandlers));
 

stroom-security/stroom-security-impl/src/main/java/stroom/security/impl/AuthenticationConfig.java

@@ -17,9 +17,11 @@ public class AuthenticationConfig extends AbstractConfig implements IsStroomConf
     public static final String PROP_NAME_OPENID = "openId";
     public static final String PROP_NAME_PREVENT_LOGIN = "preventLogin";
     public static final String PROP_NAME_API_KEY_CACHE = "apiKeyCache";
+    public static final String PROP_NAME_AUTHENTICATION_STATE_CACHE = "authenticationStateCache";
     public static final String PROP_NAME_MAX_API_KEY_EXPIRY_AGE = "maxApiKeyExpiryAge";
 
     private final CacheConfig apiKeyCache;
+    private final CacheConfig authenticationStateCache;
     private final StroomDuration maxApiKeyExpiryAge;
     private final StroomOpenIdConfig openIdConfig;
     private final boolean preventLogin;
@@ -29,6 +31,10 @@ public AuthenticationConfig() {
                 .maximumSize(1_000L)
                 .expireAfterWrite(StroomDuration.ofSeconds(60))
                 .build();
+        authenticationStateCache = CacheConfig.builder()
+                .maximumSize(1_000L)
+                .expireAfterWrite(StroomDuration.ofMinutes(10))
+                .build();
         maxApiKeyExpiryAge = StroomDuration.ofDays(365);
         openIdConfig = new StroomOpenIdConfig();
         preventLogin = false;
@@ -37,11 +43,12 @@ public AuthenticationConfig() {
     @JsonCreator
     public AuthenticationConfig(
             @JsonProperty(PROP_NAME_API_KEY_CACHE) final CacheConfig apiKeyCache,
+            @JsonProperty(PROP_NAME_AUTHENTICATION_STATE_CACHE) final CacheConfig authenticationStateCache,
             @JsonProperty(PROP_NAME_MAX_API_KEY_EXPIRY_AGE) final StroomDuration maxApiKeyExpiryAge,
             @JsonProperty(PROP_NAME_OPENID) final StroomOpenIdConfig openIdConfig,
             @JsonProperty(PROP_NAME_PREVENT_LOGIN) final boolean preventLogin) {
-
         this.apiKeyCache = apiKeyCache;
+        this.authenticationStateCache = authenticationStateCache;
         this.maxApiKeyExpiryAge = maxApiKeyExpiryAge;
         this.openIdConfig = openIdConfig;
         this.preventLogin = preventLogin;
@@ -52,6 +59,11 @@ public CacheConfig getApiKeyCache() {
         return apiKeyCache;
     }
 
+    @JsonProperty(PROP_NAME_AUTHENTICATION_STATE_CACHE)
+    public CacheConfig getAuthenticationStateCache() {
+        return authenticationStateCache;
+    }
+
     @JsonProperty(PROP_NAME_MAX_API_KEY_EXPIRY_AGE)
     @JsonPropertyDescription("The maximum expiry age for new API keys. Defaults to 365 days.")
     @NotNull
@@ -65,7 +77,7 @@ public StroomOpenIdConfig getOpenIdConfig() {
     }
 
     @JsonPropertyDescription("Prevent new logins to the system. This is useful if the system is scheduled to " +
-            "have an outage.")
+                             "have an outage.")
     @JsonProperty(PROP_NAME_PREVENT_LOGIN)
     public boolean isPreventLogin() {
         return preventLogin;
@@ -74,10 +86,11 @@ public boolean isPreventLogin() {
     @Override
     public String toString() {
         return "AuthenticationConfig{" +
-                "apiKeyCache=" + apiKeyCache +
-                ", maxApiKeyExpiryAge=" + maxApiKeyExpiryAge +
-                ", openIdConfig=" + openIdConfig +
-                ", preventLogin=" + preventLogin +
-                '}';
+               "apiKeyCache=" + apiKeyCache +
+               ", authenticationStateCache=" + authenticationStateCache +
+               ", maxApiKeyExpiryAge=" + maxApiKeyExpiryAge +
+               ", openIdConfig=" + openIdConfig +
+               ", preventLogin=" + preventLogin +
+               '}';
     }
 }

stroom-security/stroom-security-impl/src/main/java/stroom/security/impl/AuthenticationStateCache.java

@@ -0,0 +1,67 @@
+package stroom.security.impl;
+
+import stroom.cache.api.CacheManager;
+import stroom.cache.api.StroomCache;
+import stroom.security.common.impl.AuthenticationState;
+import stroom.util.logging.LambdaLogger;
+import stroom.util.logging.LambdaLoggerFactory;
+import stroom.util.logging.LogUtil;
+
+import jakarta.inject.Inject;
+import jakarta.inject.Provider;
+import jakarta.inject.Singleton;
+
+import java.security.SecureRandom;
+import java.util.Base64;
+import java.util.Optional;
+
+@Singleton
+public class AuthenticationStateCache {
+
+    private static final LambdaLogger LOGGER = LambdaLoggerFactory.getLogger(AuthenticationStateCache.class);
+
+    private final StroomCache<String, AuthenticationState> cache;
+
+    @Inject
+    public AuthenticationStateCache(final Provider<AuthenticationConfig> configProvider,
+                                    final CacheManager cacheManager) {
+        cache = cacheManager.create("Authentication State Cache",
+                () -> configProvider.get().getAuthenticationStateCache());
+    }
+
+    /**
+     * A 'state' is a single use, cryptographically random string,
+     * and it's use here is to prevent replay attacks.
+     * <p>
+     * State is used in the authentication flow - the hash is included in the original AuthenticationRequest
+     * that Stroom makes to the Authentication Service. When Stroom is subsequently called the state is provided in the
+     * URL to allow verification that the return request was expected.
+     */
+    public AuthenticationState create(final String url,
+                                      final boolean prompt) {
+        final String stateId = createRandomString(20);
+        final String nonce = createRandomString(20);
+
+        final AuthenticationState state = new AuthenticationState(stateId, url, nonce, prompt);
+        LOGGER.debug(() -> LogUtil.message("Creating {}", state));
+
+        cache.put(stateId, state);
+        return state;
+    }
+
+    @SuppressWarnings("unchecked")
+    public Optional<AuthenticationState> getAndRemove(final String stateId) {
+        final Optional<AuthenticationState> optional = cache.getIfPresent(stateId);
+        if (optional.isPresent()) {
+            cache.invalidate(stateId);
+        }
+        return optional;
+    }
+
+    private String createRandomString(final int length) {
+        final SecureRandom secureRandom = new SecureRandom();
+        final byte[] bytes = new byte[length];
+        secureRandom.nextBytes(bytes);
+        return Base64.getUrlEncoder().encodeToString(bytes);
+    }
+}