Skip to content

Commit

Permalink
fix: reduce DB calls in password grant flow (#3017)
Browse files Browse the repository at this point in the history
* fix: reduce DB calls in password grant flow

1. do not retrieve always all IdPs, but check if origin call is possible
2. do not retrieve client again (check in client authentication already)

* sonar refactorings

* Test error fix
  • Loading branch information
strehle authored Aug 29, 2024
1 parent 28116ea commit 48f18bc
Show file tree
Hide file tree
Showing 4 changed files with 95 additions and 38 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationDetails;
import org.cloudfoundry.identity.uaa.authentication.UaaLoginHint;
import org.cloudfoundry.identity.uaa.authentication.event.IdentityProviderAuthenticationFailureEvent;
import org.cloudfoundry.identity.uaa.client.UaaClient;
import org.cloudfoundry.identity.uaa.constants.ClientAuthentication;
import org.cloudfoundry.identity.uaa.constants.OriginKeys;
import org.cloudfoundry.identity.uaa.impl.config.RestTemplateConfig;
Expand All @@ -18,13 +19,13 @@
import org.cloudfoundry.identity.uaa.provider.oauth.ExternalOAuthAuthenticationManager;
import org.cloudfoundry.identity.uaa.provider.oauth.ExternalOAuthCodeToken;
import org.cloudfoundry.identity.uaa.provider.oauth.ExternalOAuthProviderConfigurator;
import org.cloudfoundry.identity.uaa.zone.MultitenantClientServices;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.core.ParameterizedTypeReference;
import org.springframework.dao.EmptyResultDataAccessException;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
Expand All @@ -35,7 +36,6 @@
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.cloudfoundry.identity.uaa.oauth.provider.ClientDetails;
import org.springframework.util.Base64Utils;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
Expand All @@ -46,7 +46,6 @@
import java.net.URL;
import java.util.*;
import java.util.function.Supplier;
import java.util.stream.Collectors;

import static org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.GRANT_TYPE_PASSWORD;
import static org.springframework.http.MediaType.APPLICATION_JSON;
Expand All @@ -57,16 +56,14 @@ public class PasswordGrantAuthenticationManager implements AuthenticationManager
private IdentityProviderProvisioning identityProviderProvisioning;
private RestTemplateConfig restTemplateConfig;
private ExternalOAuthAuthenticationManager externalOAuthAuthenticationManager;
private MultitenantClientServices clientDetailsService;
private ExternalOAuthProviderConfigurator externalOAuthProviderProvisioning;
private ApplicationEventPublisher eventPublisher;

public PasswordGrantAuthenticationManager(DynamicZoneAwareAuthenticationManager zoneAwareAuthzAuthenticationManager, final @Qualifier("identityProviderProvisioning") IdentityProviderProvisioning identityProviderProvisioning, RestTemplateConfig restTemplateConfig, ExternalOAuthAuthenticationManager externalOAuthAuthenticationManager, MultitenantClientServices clientDetailsService, ExternalOAuthProviderConfigurator externalOAuthProviderProvisioning) {
public PasswordGrantAuthenticationManager(DynamicZoneAwareAuthenticationManager zoneAwareAuthzAuthenticationManager, final @Qualifier("identityProviderProvisioning") IdentityProviderProvisioning identityProviderProvisioning, RestTemplateConfig restTemplateConfig, ExternalOAuthAuthenticationManager externalOAuthAuthenticationManager, ExternalOAuthProviderConfigurator externalOAuthProviderProvisioning) {
this.zoneAwareAuthzAuthenticationManager = zoneAwareAuthzAuthenticationManager;
this.identityProviderProvisioning = identityProviderProvisioning;
this.restTemplateConfig = restTemplateConfig;
this.externalOAuthAuthenticationManager = externalOAuthAuthenticationManager;
this.clientDetailsService = clientDetailsService;
this.externalOAuthProviderProvisioning = externalOAuthProviderProvisioning;
}

Expand All @@ -76,18 +73,22 @@ public Authentication authenticate(Authentication authentication) throws Authent
List<String> allowedProviders = getAllowedProviders();
String defaultProvider = IdentityZoneHolder.get().getConfig().getDefaultIdentityProvider();
UaaLoginHint loginHintToUse;
List<String> identityProviders = identityProviderProvisioning.retrieveActive(IdentityZoneHolder.get().getId()).stream().filter(this::providerSupportsPasswordGrant).map(IdentityProvider::getOriginKey).collect(Collectors.toList());
IdentityProvider<OIDCIdentityProviderDefinition> identityProvider = retrieveOidcPasswordIdp(uaaLoginHint, defaultProvider, allowedProviders);
List<String> possibleProviders;
if (allowedProviders == null) {
possibleProviders = identityProviders;
if (identityProvider != null) {
possibleProviders = List.of(identityProvider.getOriginKey());
} else {
possibleProviders = allowedProviders.stream().filter(identityProviders::contains).collect(Collectors.toList());
List<String> identityProviders = identityProviderProvisioning.retrieveActive(IdentityZoneHolder.get().getId()).stream().filter(this::providerSupportsPasswordGrant).map(IdentityProvider::getOriginKey).toList();
possibleProviders = Optional.ofNullable(allowedProviders).orElse(identityProviders).stream().filter(identityProviders::contains).toList();
}
if (uaaLoginHint == null) {
if (defaultProvider != null && possibleProviders.contains(defaultProvider)) {
loginHintToUse = new UaaLoginHint(defaultProvider);
} else {
loginHintToUse = getUaaLoginHintForChainedAuth(possibleProviders);
if (identityProvider == null) {
identityProvider = retrieveOidcPasswordIdp(loginHintToUse, null, null);
}
}
} else {
if (possibleProviders.contains(uaaLoginHint.getOrigin())) {
Expand All @@ -101,13 +102,31 @@ public Authentication authenticate(Authentication authentication) throws Authent
if (loginHintToUse != null) {
zoneAwareAuthzAuthenticationManager.setLoginHint(authentication, loginHintToUse);
}
if (loginHintToUse == null || loginHintToUse.getOrigin() == null || loginHintToUse.getOrigin().equals(OriginKeys.UAA) || loginHintToUse.getOrigin().equals(OriginKeys.LDAP)) {
if (identityProvider == null || loginHintToUse == null || loginHintToUse.getOrigin() == null || loginHintToUse.getOrigin().equals(OriginKeys.UAA) || loginHintToUse.getOrigin().equals(OriginKeys.LDAP)) {
return zoneAwareAuthzAuthenticationManager.authenticate(authentication);
} else {
return oidcPasswordGrant(authentication, (OIDCIdentityProviderDefinition)externalOAuthProviderProvisioning.retrieveByOrigin(loginHintToUse.getOrigin(), IdentityZoneHolder.get().getId()).getConfig());
return oidcPasswordGrant(authentication, identityProvider.getConfig());
}
}

private IdentityProvider<OIDCIdentityProviderDefinition> retrieveOidcPasswordIdp(UaaLoginHint loginHint, String defaultOrigin, List<String> allowedProviders) {
IdentityProvider<OIDCIdentityProviderDefinition> idp = null;
String useOrigin = loginHint != null && loginHint.getOrigin() != null ? loginHint.getOrigin() : defaultOrigin;
if (useOrigin != null && !useOrigin.equalsIgnoreCase(OriginKeys.UAA) && !useOrigin.equalsIgnoreCase(OriginKeys.LDAP)) {
try {
IdentityProvider<OIDCIdentityProviderDefinition> retrievedByOrigin = externalOAuthProviderProvisioning.retrieveByOrigin(useOrigin,
IdentityZoneHolder.get().getId());
if (retrievedByOrigin != null && retrievedByOrigin.isActive() && retrievedByOrigin.getOriginKey().equals(useOrigin)
&& providerSupportsPasswordGrant(retrievedByOrigin) && (allowedProviders == null || allowedProviders.contains(useOrigin))) {
idp = retrievedByOrigin;
}
} catch (EmptyResultDataAccessException e) {
// ignore
}
}
return idp;
}

private UaaLoginHint getUaaLoginHintForChainedAuth(List<String> allowedProviders) {
UaaLoginHint loginHintToUse = null;
if (allowedProviders.size() == 1) {
Expand Down Expand Up @@ -239,9 +258,11 @@ private List<String> getAllowedProviders() {
if (clientAuth == null) {
throw new BadCredentialsException("No client authentication found.");
}
String clientId = clientAuth.getName();
ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId, IdentityZoneHolder.get().getId());
return (List<String>)clientDetails.getAdditionalInformation().get(ClientConstants.ALLOWED_PROVIDERS);
List<String> allowedProviders = null;
if (clientAuth.getPrincipal() instanceof UaaClient uaaClient && uaaClient.getAdditionalInformation() != null) {
allowedProviders = (List<String>) uaaClient.getAdditionalInformation().get(ClientConstants.ALLOWED_PROVIDERS);
}
return allowedProviders;
}

@Override
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ public boolean isAllowPublic() {
}
}

private Map<String, Object> getAdditionalInformation() {
public Map<String, Object> getAdditionalInformation() {
return this.additionalInformation;
}

Expand Down
Loading

0 comments on commit 48f18bc

Please sign in to comment.