Merge pull request #145 from docusign/feature/added-pkce-to-quick-acg

Added PKCE flow to Quick_ACG

Author: InbarGazit

Quick_ACG/pom.xml

@@ -158,6 +158,7 @@
                                     <includes>
                                         <include>Locals.java</include>
                                         <include>User.java</include>
+                                        <include>EnvelopeDocumentInfo.java</include>
                                     </includes>
                                 </resource>
                                 <resource>
@@ -199,7 +200,16 @@
                                     <targetPath>${basedir}/src/main/java/com/docusign/core/security</targetPath>
                                     <directory>../src/main/java/com/docusign/core/security</directory>
                                     <includes>
-                                        <include>OAuthProperties.java</include>
+                                        <include>SecurityHelpers.java</include>
+                                        <include>JWTOAuth2User.java</include>
+                                        <include>CustomAuthenticationFailureHandler.java</include>
+                                    </includes>
+                                </resource>
+                                <resource>
+                                    <targetPath>${basedir}/src/main/java/com/docusign/core/security/acg</targetPath>
+                                    <directory>../src/main/java/com/docusign/core/security/acg</directory>
+                                    <includes>
+                                        <include>ACGAuthenticationMethod.java</include>
                                     </includes>
                                 </resource>
                                 <resource>

Quick_ACG/src/main/java/com/docusign/DSConfiguration.java

@@ -78,8 +78,20 @@ public class DSConfiguration {
     @Value("${DS_ADMIN_BASE_PATH}")
     private String adminBasePath;
 
+    @Value("${spring.security.oauth2.client.registration.acg.client-secret}")
+    private String secretUserId;
+
+    @Value("${spring.security.oauth2.client.provider.acg.token-uri}")
+    private String tokenEndpoint;
+
+    @Value("${spring.security.oauth2.client.provider.acg.authorization-uri}")
+    private String authorizationEndpoint;
+
+    @Value("${spring.security.oauth2.client.registration.jwt.client-id}")
+    private String userId;
+
     public String examplesApiPath = "examplesApi.json";
-    
+
     public String apiTypeHeader = "ApiType";
 
     @Value("${CodeExamplesManifest}")
@@ -94,14 +106,14 @@ public String getDsPingUrl() {
     }
 
     public ManifestStructure getCodeExamplesText() {
-        if (codeExamplesText != null){
+        if (codeExamplesText != null) {
             return codeExamplesText;
         }
 
         try {
             String json = loadFileData(codeExamplesManifest);
             codeExamplesText = new ObjectMapper().readValue(json, ManifestStructure.class);
-        } catch (JSONException | IOException e){
+        } catch (JSONException | IOException e) {
             e.printStackTrace();
         } catch (Exception e) {
             e.printStackTrace();

Quick_ACG/src/main/java/com/docusign/WebSecurityConfig.java

@@ -9,6 +9,7 @@
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
 import org.springframework.security.web.savedrequest.RequestCache;
+import com.docusign.core.security.CustomAuthenticationFailureHandler;
 
 @EnableWebSecurity
 public class WebSecurityConfig {
@@ -28,26 +29,24 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                     try {
                         authorize
                                 .antMatchers("/", "/error**", "/assets/**", "/ds/mustAuthenticate**",
-                                        "/ds/authenticate**", "/ds/selectApi**")
+                                        "/ds/authenticate**", "/ds/selectApi**", "/pkce")
                                 .permitAll()
                                 .anyRequest().authenticated()
                                 .and()
                                 .exceptionHandling()
                                 .authenticationEntryPoint(
-                                        new LoginUrlAuthenticationEntryPoint("/ds/mustAuthenticate")
-                                );
+                                        new LoginUrlAuthenticationEntryPoint("/ds/mustAuthenticate"));
                     } catch (Exception e) {
                         throw new RuntimeException(e);
                     }
                 })
                 .requestCache().requestCache(requestCache()).and()
-                .oauth2Login(Customizer.withDefaults())
+                .oauth2Login(login -> login.failureHandler(new CustomAuthenticationFailureHandler()))
                 .oauth2Client(Customizer.withDefaults())
                 .logout(logout -> logout
-                        .logoutSuccessUrl("/")
-                )
+                        .logoutSuccessUrl("/"))
                 .csrf().disable();
 
-        return  http.build();
+        return http.build();
     }
 }

Quick_ACG/src/main/java/com/docusign/core/controller/IndexController.java

@@ -6,6 +6,9 @@
 import com.docusign.core.model.User;
 import java.io.IOException;
 import java.util.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import com.docusign.core.security.acg.ACGAuthenticationMethod;
 
 import com.docusign.core.utils.AccountsConverter;
 import org.apache.commons.lang3.StringUtils;
@@ -26,21 +29,16 @@
 import com.docusign.esign.client.auth.OAuth;
 import java.util.stream.Collectors;
 import org.springframework.security.core.Authentication;
-import org.springframework.web.bind.annotation.ControllerAdvice;
-import org.springframework.web.bind.annotation.ModelAttribute;
-import javax.servlet.http.HttpServletResponse;
 
 @Controller
 @ControllerAdvice
 @Scope(WebApplicationContext.SCOPE_SESSION)
 public class IndexController {
-    private static final String ATTR_ENVELOPE_ID = "qpEnvelopeId";
+    private static final List<String> ESIGNATURE_SCOPES = Arrays.asList("signature");
     private static final String ATTR_STATE = "state";
     private static final String ATTR_EVENT = "event";
-    private static final String ATTR_TITLE = "title";
 
     private static final String ERROR_ACCOUNT_NOT_FOUND = "Could not find account information for the user";
-    private static final String SELECTED_API_NOT_SUPPORTED = "Currently selected api is not supported by launcher. Please, check appsettings.json file.";
     private final DSConfiguration config;
     private final Session session;
     private final User user;
@@ -65,22 +63,45 @@ public String index(ModelMap model, HttpServletResponse response) throws IOExcep
     }
 
     @GetMapping(path = "/ds/mustAuthenticate")
-    public ModelAndView mustAuthenticateController(ModelMap model) throws IOException {
+    public ModelAndView mustAuthenticateController(ModelMap model) throws IOException, Exception {
         return new ModelAndView(getRedirectView());
     }
 
     @GetMapping(path = "/ds-return")
     public String returnController(@RequestParam(value = ATTR_STATE, required = false) String state,
             @RequestParam(value = ATTR_EVENT, required = false) String event,
-            @RequestParam(required = false) String envelopeId, ModelMap model, HttpServletResponse response) throws IOException {
+            @RequestParam(required = false) String envelopeId, ModelMap model, HttpServletResponse response)
+            throws IOException {
         String site = "/eg001";
         response.setStatus(response.SC_MOVED_TEMPORARILY);
         response.setHeader("Location", site);
         return null;
     }
 
-    private RedirectView getRedirectView() {
-        RedirectView redirect = new RedirectView(getLoginPath());
+    @GetMapping("/pkce")
+    public RedirectView pkce(String code, String state, HttpServletRequest req, HttpServletResponse resp)
+            throws Exception {
+        String redirectURL = "/";
+        RedirectView redirect;
+        try {
+            redirect = new ACGAuthenticationMethod().exchangeCodeForToken(code, config, session, redirectURL,
+                    ESIGNATURE_SCOPES);
+        } catch (Exception e) {
+            redirect = new RedirectView(getLoginPath());
+            this.session.setIsPKCEWorking(false);
+        }
+
+        return redirect;
+    }
+
+    private RedirectView getRedirectView() throws Exception {
+        RedirectView redirect;
+        if (this.session.getIsPKCEWorking()) {
+            redirect = new ACGAuthenticationMethod().initiateAuthorization(config, ESIGNATURE_SCOPES);
+        } else {
+            redirect = new RedirectView(getLoginPath());
+        }
+
         redirect.setExposeModelAttributes(false);
         return redirect;
     }
@@ -111,12 +132,16 @@ public Object populateLocals() throws IOException {
         OAuth2User oauthUser = oauth.getPrincipal();
         OAuth2AuthorizedClient oauthClient = authorizedClientService.loadAuthorizedClient(
                 oauth.getAuthorizedClientRegistrationId(),
-                oauthUser.getName()
-        );
+                oauthUser.getName());
 
         if (oauth.isAuthenticated()) {
             user.setName(oauthUser.getAttribute("name"));
-            user.setAccessToken(oauthClient.getAccessToken().getTokenValue());
+
+            if (oauthClient != null) {
+                user.setAccessToken(oauthClient.getAccessToken().getTokenValue());
+            } else {
+                user.setAccessToken(((OAuth.OAuthToken) oauthUser.getAttribute("access_token")).getAccessToken());
+            }
 
             if (account.isEmpty()) {
                 account = Optional.ofNullable(getDefaultAccountInfo(getOAuthAccounts(oauthUser)));
@@ -139,7 +164,7 @@ private String getBaseUrl(OAuth.Account oauthAccount) {
 
     private static List<OAuth.Account> getOAuthAccounts(OAuth2User user) {
         List<Map<String, Object>> oauthAccounts = user.getAttribute("accounts");
-        if(oauthAccounts == null){
+        if (oauthAccounts == null) {
             return new ArrayList<>();
         }
 
@@ -152,7 +177,7 @@ private OAuth.Account getDefaultAccountInfo(List<OAuth.Account> accounts) {
         String targetAccountId = config.getTargetAccountId();
         if (StringUtils.isNotBlank(targetAccountId)) {
             OAuth.Account account = getAccountById(accounts, targetAccountId);
-            if(account != null) {
+            if (account != null) {
                 return account;
             }
         }

Quick_ACG/src/main/java/com/docusign/core/model/Session.java

@@ -1,37 +1,33 @@
 package com.docusign.core.model;
 
+import com.docusign.esign.client.auth.OAuth;
 import lombok.Data;
 import org.springframework.context.annotation.Scope;
 import org.springframework.context.annotation.ScopedProxyMode;
 import org.springframework.stereotype.Component;
 import org.springframework.web.context.WebApplicationContext;
 
 import java.io.Serializable;
+import java.util.List;
 import java.util.UUID;
 
 @Component
-@Scope(value = WebApplicationContext.SCOPE_SESSION,
-        proxyMode = ScopedProxyMode.TARGET_CLASS)
+@Scope(value = WebApplicationContext.SCOPE_SESSION, proxyMode = ScopedProxyMode.TARGET_CLASS)
 @Data
 public class Session implements Serializable {
     private static final long serialVersionUID = 2695379118371574037L;
 
+    public Long tokenExpirationTime;
+
     private String accountId;
+
     private String accountName;
+
     private String basePath;
-    private String statusCFR;
-    private String roomsBasePath;
+
     private String envelopeId;
-    private String templateId;
-    private String templateName;
-    private String permissionProfileId;
-    private String permissionProfileName;
-    private String apiIndexPath;
-    private boolean refreshToken = false;
-    private String clickwrapId;
-    private String clickwrapVersionNumber;
-    private String exportId;
-    private String importId;
-    private UUID orgId;
-    public UUID bulkListId;
+
+    private String statusCFR;
+
+    private Boolean isPKCEWorking = true;
 }

src/main/java/com/docusign/DSConfiguration.java

@@ -168,7 +168,7 @@ public ManifestStructure getCodeExamplesText() {
 
         try {
             codeExamplesText = new ObjectMapper().readValue(loadFileData(codeExamplesManifest),
-                ManifestStructure.class);
+                    ManifestStructure.class);
         } catch (Exception e) {
             e.printStackTrace();
         }
@@ -182,8 +182,8 @@ public String loadFileData(String linkToManifestFile) throws Exception {
         httpConnection.setRequestMethod(HttpMethod.GET);
 
         httpConnection.setRequestProperty(
-            HttpHeaders.CONTENT_TYPE,
-            String.valueOf(MediaType.APPLICATION_JSON));
+                HttpHeaders.CONTENT_TYPE,
+                String.valueOf(MediaType.APPLICATION_JSON));
 
         int responseCode = httpConnection.getResponseCode();