Save client secret hashed on the database by SteDev2 · Pull Request #947 · indigo-iam/iam

SteDev2 · 2025-03-26T16:41:45Z

No description provided.

...c/main/java/it/infn/mw/iam/api/client/management/service/DefaultClientManagementService.java

iam-login-service/src/main/java/it/infn/mw/iam/config/security/MitreSecurityConfig.java

...in/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java

iam-login-service/src/main/java/it/infn/mw/iam/config/AuthorizationServerConfig.java

iam-login-service/src/main/java/it/infn/mw/iam/config/security/IamApiSecurityConfig.java

jacogasp · 2025-06-06T07:36:38Z

...c/main/java/it/infn/mw/iam/api/client/management/service/DefaultClientManagementService.java

    } else if (isNull(client.getClientSecret())) {
      client.setClientSecret(defaultsService.generateClientSecret());
+    } else {
+      newClient.setClientSecret(defaultsService.generateClientSecret());


In quali casi entriamo in questo else?

è da rimuovere, altrimenti genera un nuovo secret ogni volta che modifichiamo il client

In some cases, when updating client data from the dashboard, the dashboard doesn't know the new ClientSecret hash, so it's updated with the old value. We don't want the user to change the secret or secret hash from the client update, but only from the new secret request.

here's definitely a better way to write this check, but I discovered it after a bug search and it gave me bad credentials. I'll finish it in the next few days, or if anyone wants to fix it...

I would preferably identify the "some cases" and properly address them with specific checks rather than a generic else, if there is no a valid reason to do it.

...ogin-service/src/main/java/it/infn/mw/iam/config/security/IamTokenEndointSecurityConfig.java

...service/src/main/java/it/infn/mw/iam/core/expression/IamMethodSecurityExpressionHandler.java

...login-service/src/main/java/it/infn/mw/iam/core/expression/IamSecurityExpressionMethods.java

...c/main/java/it/infn/mw/iam/api/client/management/service/DefaultClientManagementService.java

iam-login-service/src/main/java/it/infn/mw/iam/api/client/service/DefaultClientService.java

iam-login-service/src/main/java/it/infn/mw/iam/config/AuthorizationServerConfig.java

iam-persistence/src/main/java/db/migration/mysql/V109__HashClientSecret.java

jacogasp · 2025-09-05T08:29:20Z

...pp/resources/iam/apps/dashboard-app/components/user/myclients/myclient/myclient.component.js

            });
-            return res;
+
+            var res = () => {


Suggested change

var res = () => {

const res = () => {

jacogasp · 2025-09-05T08:29:31Z

...pp/resources/iam/apps/dashboard-app/components/user/myclients/myclient/myclient.component.js

-            return res;
+
+            var res = () => {
+                var modalInstance = $uibModal.open({


Suggested change

var modalInstance = $uibModal.open({

const modalInstance = $uibModal.open({

jacogasp · 2025-09-05T08:30:01Z

...pp/resources/iam/apps/dashboard-app/components/user/myclients/myclient/myclient.component.js

+                modalInstance.result.then(function (selectedItem) {
+                    $ctrl.selected = selectedItem;
+                }, function () {
+                    console.log('Dialog dismissed at: ' + new Date());


Why this log on the browser console?

jacogasp · 2025-09-05T08:30:36Z

...pp/resources/iam/apps/dashboard-app/components/user/myclients/myclient/myclient.component.js

+                }, function () {
+                    console.log('Dialog dismissed at: ' + new Date());
+                });
+                return res;


You are returning lambda function, is it correct?

jacogasp · 2025-09-05T08:31:13Z

...pp/resources/iam/apps/dashboard-app/components/user/myclients/myclient/myclient.component.js

+                    return res;
+                }
+
+                var modalSecret = $uibModal.open({


Suggested change

var modalSecret = $uibModal.open({

const modalSecret = $uibModal.open({

jacogasp · 2025-09-05T08:34:04Z

...ervice/src/test/java/it/infn/mw/iam/test/api/client/ClientManagementAPIIntegrationTests.java

    assertEquals(client.getIdTokenValiditySeconds(), clientDB.get().getIdTokenValiditySeconds());
-    assertEquals(client.getDeviceCodeValiditySeconds(), clientDB.get().getDeviceCodeValiditySeconds());
+    assertEquals(client.getDeviceCodeValiditySeconds(),
+        clientDB.get().getDeviceCodeValiditySeconds());


You are calling clientDB.get() at least four times.
Call it only once a store the result in a variable

jacogasp · 2025-09-05T08:35:34Z

...ervice/src/test/java/it/infn/mw/iam/test/api/client/ClientManagementAPIIntegrationTests.java

    clientDB = clientRepo.findByClientId(client.getClientId());
-    assertEquals(client.getAccessTokenValiditySeconds(), clientDB.get().getAccessTokenValiditySeconds());
-    assertEquals(client.getRefreshTokenValiditySeconds(), clientDB.get().getRefreshTokenValiditySeconds());
+    assertEquals(client.getAccessTokenValiditySeconds(),


Same comment as above

jacogasp · 2025-09-05T08:37:23Z

...ervice/src/test/java/it/infn/mw/iam/test/api/client/ClientManagementAPIIntegrationTests.java

+
+    String responseJson = mvc
+      .perform(post(ClientRegistrationApiController.ENDPOINT).contentType(APPLICATION_JSON)
+        .content(clientJson))


Suggested change

.content(clientJson))

.content(clientJson))

jacogasp · 2025-09-05T08:37:58Z

...ervice/src/test/java/it/infn/mw/iam/test/api/client/ClientManagementAPIIntegrationTests.java

+    RegisteredClientDTO client = mapper.readValue(responseJson, RegisteredClientDTO.class);
+    String clientSecret = client.getClientSecret();
+
+    final String url =


I think that final is unnecessary in this context

jacogasp · 2025-09-05T08:39:24Z

...ervice/src/test/java/it/infn/mw/iam/test/api/client/ClientManagementAPIIntegrationTests.java

+
+    String responseJson = mvc
+      .perform(post(ClientManagementAPIController.ENDPOINT).contentType(APPLICATION_JSON)
+        .content(clientJson))


Suggested change

.content(clientJson))

.content(clientJson))

(don't copy/past to much)

jacogasp · 2025-09-05T08:39:39Z

...ervice/src/test/java/it/infn/mw/iam/test/api/client/ClientManagementAPIIntegrationTests.java

+    RegisteredClientDTO client = mapper.readValue(responseJson, RegisteredClientDTO.class);
+    String clientSecret = client.getClientSecret();
+
+    final String url =


jacogasp · 2025-09-05T08:39:49Z

...ervice/src/test/java/it/infn/mw/iam/test/api/client/ClientManagementAPIIntegrationTests.java

+    ClientDetailsEntity client =
+        clientRepo.findByClientId(clientId).orElseThrow(ClientSuppliers.clientNotFound(clientId));
+
+    final String url =


jacogasp · 2025-09-05T08:42:20Z

...ervice/src/test/java/it/infn/mw/iam/test/api/client/ClientManagementAPIIntegrationTests.java

+  @WithMockUser(username = "test", roles = {"USER"})
+  void secretRotationFailsForOtherUsers() throws Exception {
+
+    assertSecretRotationForbidden("client");


Maybe we can use a better client id rather than "client"

jacogasp · 2025-09-05T08:42:31Z

...ervice/src/test/java/it/infn/mw/iam/test/api/client/ClientManagementAPIIntegrationTests.java

+  @WithMockUser(username = "non-existent-user", roles = {"USER"})
+  void secretRotationFailsWhenUserNotFound() throws Exception {
+
+    assertSecretRotationForbidden("client-cred");


Same as above

jacogasp · 2025-09-05T08:43:42Z

...login-service/src/test/java/it/infn/mw/iam/test/api/client/RegistrationAccessTokenTests.java

      .as(RegisteredClientDTO.class);

-    assertThat(getResponse.getClientSecret(), is(registerResponse.getClientSecret()));
+    assertThat(new IamClientSecretEncoder().matches(registerResponse.getClientSecret(), getResponse.getClientSecret()), is(true));


Can we split this line in multiple lines? Is very hard to read

jacogasp · 2025-09-05T08:51:18Z

iam-login-service/src/test/java/it/infn/mw/iam/test/core/IamSecurityExpressionMethodsTests.java

    repo.deleteAll();
+    clientService.unlinkClientFromAccount(clientDetailsService.loadClientByClientId(TEST_CLIENT_ID),
+        accountRepo.findByUsername(TEST_ADMIN).get());
+    clientService.unlinkClientFromAccount(clientDetailsService.loadClientByClientId(TEST_CLIENT_ID),


Please call clientDetailsService.loadClientByClientId(TEST_CLIENT_ID) only once and store the result.
This very long calls are really hard to read

jacogasp · 2025-09-05T08:51:43Z

iam-login-service/src/test/java/it/infn/mw/iam/test/core/IamSecurityExpressionMethodsTests.java

+  @Test
+  @WithMockUser(roles = {"ADMIN", "USER"}, username = TEST_ADMIN)
+  public void testIsClientOwnerIsAdmin() {
+    clientService.linkClientToAccount(clientDetailsService.loadClientByClientId(TEST_CLIENT_ID),


See above comment

jacogasp · 2025-09-05T08:52:36Z

iam-login-service/src/test/java/it/infn/mw/iam/test/core/IamSecurityExpressionMethodsTests.java

+  @WithMockUser(roles = {"ADMIN", "USER"}, username = "test_200")
+  public void testIsClientOwnerIsUser() {
+    String owner = "test_200";
+    clientService.linkClientToAccount(clientDetailsService.loadClientByClientId(TEST_CLIENT_ID),


I do not repeat again, check also the next lines

jacogasp · 2025-09-05T08:54:24Z

...it/infn/mw/iam/test/oauth/assertion/JWTBearerClientAuthenticationIntegrationTestSupport.java

      throws JOSEException {

-    JWSSigner signer = new MACSigner(CLIENT_ID_SECRET_JWT_SECRET);
+    ClientDetailsEntity client = clientRepo.findByClientId(CLIENT_ID_SECRET_JWT).orElseThrow();


Is the .orElseThrow() call necessary? On the next line, if the client does not exist (is null) the client.getClientSecret() will throw a NullPointerException

jacogasp · 2025-09-05T08:56:40Z

...service/src/test/java/it/infn/mw/iam/test/oauth/scope/matchers/ScopeMatcherNoCacheTests.java

    client.setScope(Sets.newHashSet("openid", "profile", "email"));
    clientRepo.save(client);

    try {


Cannot understand this try without the catch.
If we have an error here, this will disappear in the cosmic galactic void without any evidence

iam-persistence/src/main/java/db/migration/mysql/V110__HashClientSecret.java

jacogasp · 2025-09-15T07:57:58Z

...in/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java


+    if (NONE.equals(newClient.getTokenEndpointAuthMethod())) {
+      newClient.setClientSecret(null);
+    } else if (isNull(request.getClientSecret()) && isNull(oldClient.getClientSecret())) {


Just curiosity: what is the difference between NONE.equals and isNull? Can we use the same check to be consistent?

jacogasp · 2025-09-15T08:01:29Z

...in/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java

+    } else if (isNull(request.getClientSecret()) && isNull(oldClient.getClientSecret())) {
+      newClient.setClientSecret(defaultsService.generateClientSecret());
+    } else {
+      // Direct updates are disabled. Changes must be made via secret reset process


What is a secret reset process? Do you mean calling the reset secret API endpoint?
And what do you mean with "direct updates?" Do you mean passing the secret in the PUT request to edit the client?
If I'm getting it right, we should add a test that checks that the secret is ignored from the PUT request or a bad request error is thrown

jacogasp · 2025-09-15T08:01:41Z

iam-login-service/src/test/java/it/infn/mw/iam/test/core/IamSecurityExpressionMethodsTests.java

-    doReturn(Optional.of(clientTest)).when(clientRepo).findByClientId(TEST_CLIENT_ID);
+    Optional<IamAccount> account = accountRepo.findByUsername(TEST_ADMIN);
+    ClientDetailsEntity clientTestUpdate = clientService.linkClientToAccount(clientTest, account.get());
+


Suggested change

jacogasp · 2025-09-15T08:01:56Z

iam-login-service/src/test/java/it/infn/mw/iam/test/core/IamSecurityExpressionMethodsTests.java

-    doReturn(Optional.of(clientTest)).when(clientRepo).findByClientId(TEST_CLIENT_ID);
+    Optional<IamAccount> account = accountRepo.findByUsername(owner);
+    ClientDetailsEntity clientTestUpdate = clientService.linkClientToAccount(clientTest, account.get());
+


Suggested change

jacogasp · 2025-09-15T08:02:04Z

iam-login-service/src/test/java/it/infn/mw/iam/test/core/IamSecurityExpressionMethodsTests.java

-    doReturn(Optional.of(clientTest)).when(clientRepo).findByClientId(TEST_CLIENT_ID);
+    Optional<IamAccount> account = accountRepo.findByUsername(owner);
+    ClientDetailsEntity clientTestUpdate = clientService.linkClientToAccount(clientTest, account.get());
+


Suggested change

SteDev2 added kind/feature priority/normal labels Mar 26, 2025

SteDev2 requested review from enricovianello and rmiccoli March 26, 2025 16:41

SteDev2 self-assigned this Mar 26, 2025

SteDev2 added this to v1.12.0 Mar 26, 2025

rmiccoli changed the title ~~Issue 923~~ Save client secret hashed on the database Mar 26, 2025

rmiccoli linked an issue Mar 26, 2025 that may be closed by this pull request

Client secret hashed on DataBase #923

Open

rmiccoli moved this to In Progress in v1.12.0 Mar 27, 2025

enricovianello removed this from v1.12.0 Apr 1, 2025

enricovianello added the component/db Issue that includes one or more db migrations label Apr 2, 2025

enricovianello marked this pull request as ready for review April 17, 2025 13:00

rmiccoli added status/in-progress and removed priority/normal labels Apr 22, 2025

giacomini reviewed May 2, 2025

View reviewed changes

...c/main/java/it/infn/mw/iam/api/client/management/service/DefaultClientManagementService.java Outdated Show resolved Hide resolved

enricovianello force-pushed the develop branch from 5eba703 to 47f0147 Compare May 19, 2025 09:27

enricovianello force-pushed the issue-923 branch from ec31199 to 42e44c9 Compare May 21, 2025 09:41