CESNET · vyskocilpavel · Oct 12, 2017 · Oct 12, 2017
diff --git a/perun-oidc-server-overlay/perun-oidc-server-config-template/perun-oidc-data-context.xml b/perun-oidc-server-overlay/perun-oidc-server-config-template/perun-oidc-data-context.xml
@@ -0,0 +1,74 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Copyright 2017 The MIT Internet Trust Consortium
+
+    Portions copyright 2011-2013 The MITRE Corporation
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+ -->
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:jdbc="http://www.springframework.org/schema/jdbc"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+                                                http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc-4.3.xsd">
+
+    <!-- ==============  HSQL DB (in-memory)  =============== -->
+    <!--
+    <jdbc:initialize-database data-source="dataSource">
+        <jdbc:script location="classpath:/db/tables/hsql_database_tables.sql"/>
+        <jdbc:script location="classpath:/db/tables/security-schema.sql"/>
+        <jdbc:script location="classpath:/db/tables/loading_temp_tables.sql"/>
+        <jdbc:script location="classpath:/db/scopes.sql"/>
+        <jdbc:script location="classpath:/db/clients.sql"/>
+    </jdbc:initialize-database>
+
+
+    <bean id="dataSource" class="com.zaxxer.hikari.HikariDataSource" destroy-method="close">
+        <property name="driverClassName" value="org.hsqldb.jdbcDriver" />
+        <property name="jdbcUrl" value="jdbc:hsqldb:mem:oic;sql.syntax_mys=true" />
+        <property name="username" value="oic" />
+        <property name="password" value="oic" />
+    </bean>
+
+    <bean id="jpaAdapter" class="org.springframework.orm.jpa.vendor.EclipseLinkJpaVendorAdapter">
+        <property name="databasePlatform" value="org.eclipse.persistence.platform.database.HSQLPlatform" />
+        <property name="showSql" value="true" />
+    </bean>
+    -->
+
+
+    <!-- ==============  PSQL DB (persist) =============== -->
+
+    <!-- Initialize db ONLY on first run -->
+    <!--
+        <jdbc:initialize-database data-source="dataSource">
+            <jdbc:script location="classpath:/db/tables/psql_database_tables.sql"/>
+            <jdbc:script location="classpath:/db/tables/psql_database_indexes.sql"/>
+            <jdbc:script location="classpath:/db/tables/security-schema.sql"/>
+            <jdbc:script location="classpath:/db/tables/loading_temp_tables.sql"/>
+        </jdbc:initialize-database>
+    -->
+    <bean id="dataSource" class="com.zaxxer.hikari.HikariDataSource" destroy-method="close">
+        <property name="driverClassName" value="org.postgresql.Driver" />
+        <property name="jdbcUrl" value="jdbc:postgresql://localhost/oic" />
+        <!-- TODO: Fill username and password -->
+        <property name="username" value="" />
+        <property name="password" value="" />
+    </bean>
+
+    <bean id="jpaAdapter" class="org.springframework.orm.jpa.vendor.EclipseLinkJpaVendorAdapter">
+        <property name="databasePlatform" value="org.eclipse.persistence.platform.database.PostgreSQLPlatform" />
+        <property name="showSql" value="true" />
+    </bean>
+
+</beans>
diff --git a/perun-oidc-server-overlay/perun-oidc-server-config-template/perun-oidc-keystore.jwks b/perun-oidc-server-overlay/perun-oidc-server-config-template/perun-oidc-keystore.jwks
@@ -0,0 +1,17 @@
+{
+  "keys": [
+        {
+          "p": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+          "kty": "RSA",
+          "q": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+          "d": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+          "e": "AQAB",
+          "kid": "rsa1",
+          "qi": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+          "dp": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+          "dq": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+          "n": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+        }
+  ]
+}
+
diff --git a/perun-oidc-server-overlay/perun-oidc-server-config-template/perun-oidc-scope.properties b/perun-oidc-server-overlay/perun-oidc-server-config-template/perun-oidc-scope.properties
@@ -0,0 +1,43 @@
+# configure OIDC scopes, its claims, its json structure and map them to perun attributes.
+# if claim value begins with urn:perun: it will be considered as attribute name and will be replaced
+# with real user attribute value. Otherwise it is considered as constant value.
+
+# format is:
+# scope_name = {
+#   "claim_name": "attribute_name",
+#   "claim_name": "constant_value",
+#   "claim_name": {
+#       "key": "attribute_name",
+#       "key": { ... }
+#   }
+#}
+
+
+
+##### standard OIDC scopes #####
+
+openid = {\
+        "sub": "urn:perun:user:attribute-def:core:id"\
+  }
+
+profile = {\
+        "name": "urn:perun:user:attribute-def:core:displayName",\
+        "given_name": "urn:perun:user:attribute-def:core:firstName",\
+        "family_name": "urn:perun:user:attribute-def:core:lastName",\
+        "middle_name": "urn:perun:user:attribute-def:core:middleName",\
+        "preferred_username": "urn:perun:user:attribute-def:def:preferredMail"\
+  }
+
+email = {\
+        "email": "urn:perun:user:attribute-def:def:preferredMail"\
+  }
+
+phone = {\
+        "phone": "urn:perun:user:attribute-def:def:phone"\
+  }
+
+address = {\
+        "address": {\
+                "formatted": "urn:perun:user:attribute-def:def:address"\
+        }\
+  }
diff --git a/perun-oidc-server-overlay/perun-oidc-server-config-template/perun-oidc-server-config.xml b/perun-oidc-server-overlay/perun-oidc-server-config-template/perun-oidc-server-config.xml
@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Copyright 2017 The MIT Internet Trust Consortium
+
+    Portions copyright 2011-2013 The MITRE Corporation
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+ -->
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:mvc="http://www.springframework.org/schema/mvc"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:tx="http://www.springframework.org/schema/tx"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:security="http://www.springframework.org/schema/security"
+       xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
+       xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
+                http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
+                http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
+                http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+                http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
+                http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
+
+
+    <bean id="configBean" class="org.mitre.openid.connect.config.ConfigurationPropertiesBean">
+
+        <!-- This property sets the root URL of the server, known as the issuer -->
+        <!-- TODO: Fill value -->
+        <property name="issuer" value="" />
+
+        <!-- This property is a URL pointing to a logo image 24px high to be used in the top bar -->
+        <property name="logoImageUrl" value="resources/images/perun_24px.png" />
+
+        <!-- This property sets the display name of the server, displayed in the topbar and page title -->
+        <property name="topbarTitle" value="Perun OIDC" />
+
+        <!-- This property sets the lifetime of registration access tokens, in seconds. Leave it unset (null) for no rotation. -->
+        <!-- <property name="regTokenLifeTime" value="172800" /> -->
+
+        <!-- This property forces the issuer value to start with "https", recommended on production servers -->
+        <property name="forceHttps" value="true" />
+
+        <!-- This property sets the locale for server text -->
+        <!-- <property name="locale" value="sv" /> -->
+
+        <!-- This property sets the set of namespaces for language translation files. The default is "messages". These are checked in the order presented here. -->
+        <!--
+        <property name="languageNamespaces">
+            <list>
+                <value>foo</value>
+                <value>bar</value>
+                <value>messages</value>
+            </list>
+        </property>
+        -->
+
+        <!-- This property indicates if a dynamically registered client supports dual flows, such as client_credentials
+        at the same time with authorization_code or implicit -->
+        <!-- <property name="dualClient" value="true" /> -->
+
+        <!-- This property turns on HEART compliance mode -->
+        <!-- <property name="heartMode" value="true" /> -->
+
+    </bean>
+
+</beans>
diff --git a/perun-oidc-server-overlay/perun-oidc-server-config-template/perun-oidc-server.properties b/perun-oidc-server-overlay/perun-oidc-server-config-template/perun-oidc-server.properties
@@ -0,0 +1,16 @@
+
+# Credentials to communicate with perun via basic auth. Should have sufficient privileges.
+oidc.perun.username=
+oidc.perun.password=
+
+# URL pointing to perun rpc. Must ends with '/' e.g. http://localhost/krb/rpc/json/
+oidc.perun.url=
+
+# URL pointing to userinfo endpoint. Where access token is consumed
+oidc.userinfo.endpoint=
+
+# List of Perun user IDs divided by ',' which will be admins of Authorization server.
+oidc.admins=
+
+# Public URL to instance logo. e.g. Shown on consent page.
+oidc.logoUrl=
diff --git a/perun-oidc-server-overlay/perun-oidc-server-config-template/readme.md b/perun-oidc-server-overlay/perun-oidc-server-config-template/readme.md
@@ -0,0 +1,32 @@
+### Create a folder /etc/perun/
+<pre>
+mkdir /etc/perun/
+cd /etc/perun/
+</pre>
+
+### Copy this template files into /etc/perun/ and edit them:
+
+1. perun-oidc-data-context.xml - PSQL DB
+    * Uncomment initialize-database element for first run
+    * Modify username and password value in dataSource bean
+
+2. perun-oidc-scopes.properties
+    * Modify in relation to perun attributes you have
+
+3. perun-oidc-server.properties
+    * Communication details with Perun. Follow comments.
+    * Do not forget to add your perun user IDs.
+
+4. perun-oidc-server-config.xml
+    * Modify issuer property
+
+5. perun-oidc-keystore.jwks
+    * generate new set of keys here: https://github.com/mitreid-connect/json-web-key-generator
+    * download as zip
+    * extract and go to folder
+    *run: 
+    <pre>
+    mvn package
+    java -jar target/json-...-jar-with-dependencies.jar -t RSA -s 2048 -i rsa1
+    </pre>
+    * copy output to the file into json array “keys”
diff --git a/perun-oidc-server-overlay/src/main/resources/db/clients.sql b/perun-oidc-server-overlay/src/main/resources/db/clients.sql
@@ -2,7 +2,7 @@
 -- Turn off autocommit and start a transaction so that we can use the temp tables
 --
 
-SET AUTOCOMMIT FALSE;
+SET AUTOCOMMIT = OFF;
 
 START TRANSACTION;
 
@@ -35,35 +35,31 @@ INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES
 -- Merge the temporary clients safely into the database. This is a two-step process to keep clients from being created on every startup with a persistent store.
 --
 
-MERGE INTO client_details 
-  USING (SELECT client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection FROM client_details_TEMP) AS vals(client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection)
-  ON vals.client_id = client_details.client_id
-  WHEN NOT MATCHED THEN 
-    INSERT (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) VALUES(client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection);
+INSERT INTO client_details (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection)
+  SELECT client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection FROM client_details_TEMP
+ON CONFLICT
+  DO NOTHING;
 
-MERGE INTO client_scope 
-  USING (SELECT id, scope FROM client_scope_TEMP, client_details WHERE client_details.client_id = client_scope_TEMP.owner_id) AS vals(id, scope)
-  ON vals.id = client_scope.owner_id AND vals.scope = client_scope.scope
-  WHEN NOT MATCHED THEN 
-    INSERT (owner_id, scope) values (vals.id, vals.scope);
+INSERT INTO client_scope (scope)
+  SELECT scope FROM client_scope_TEMP, client_details WHERE client_details.client_id = client_scope_TEMP.owner_id
+ON CONFLICT
+  DO NOTHING;
 
-MERGE INTO client_redirect_uri 
-  USING (SELECT id, redirect_uri FROM client_redirect_uri_TEMP, client_details WHERE client_details.client_id = client_redirect_uri_TEMP.owner_id) AS vals(id, redirect_uri)
-  ON vals.id = client_redirect_uri.owner_id AND vals.redirect_uri = client_redirect_uri.redirect_uri
-  WHEN NOT MATCHED THEN 
-    INSERT (owner_id, redirect_uri) values (vals.id, vals.redirect_uri);
+INSERT INTO client_redirect_uri (redirect_uri)
+  SELECT redirect_uri FROM client_redirect_uri_TEMP, client_details WHERE client_details.client_id = client_redirect_uri_TEMP.owner_id
+ON CONFLICT
+  DO NOTHING;
 
-MERGE INTO client_grant_type 
-  USING (SELECT id, grant_type FROM client_grant_type_TEMP, client_details WHERE client_details.client_id = client_grant_type_TEMP.owner_id) AS vals(id, grant_type)
-  ON vals.id = client_grant_type.owner_id AND vals.grant_type = client_grant_type.grant_type
-  WHEN NOT MATCHED THEN 
-    INSERT (owner_id, grant_type) values (vals.id, vals.grant_type);
+INSERT INTO client_grant_type (grant_type)
+  SELECT grant_type FROM client_grant_type_TEMP, client_details WHERE client_details.client_id = client_grant_type_TEMP.owner_id
+ON CONFLICT
+  DO NOTHING;
 
 -- 
 -- Close the transaction and turn autocommit back on
 -- 
 
 COMMIT;
 
-SET AUTOCOMMIT TRUE;
+SET AUTOCOMMIT =ON;
 
diff --git a/perun-oidc-server-overlay/src/main/resources/db/scopes.sql b/perun-oidc-server-overlay/src/main/resources/db/scopes.sql
@@ -2,7 +2,7 @@
 -- Turn off autocommit and start a transaction so that we can use the temp tables
 --
 
-SET AUTOCOMMIT FALSE;
+SET AUTOCOMMIT = OFF;
 
 START TRANSACTION;
 
@@ -22,12 +22,12 @@ INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_sco
 -- Merge the temporary scopes safely into the database. This is a two-step process to keep scopes from being created on every startup with a persistent store.
 --
 
-MERGE INTO system_scope
-	USING (SELECT scope, description, icon, restricted, default_scope, structured, structured_param_description FROM system_scope_TEMP) AS vals(scope, description, icon, restricted, default_scope, structured, structured_param_description)
-	ON vals.scope = system_scope.scope
-	WHEN NOT MATCHED THEN
-	  INSERT (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES(vals.scope, vals.description, vals.icon, vals.restricted, vals.default_scope, vals.structured, vals.structured_param_description);
+INSERT INTO system_scope (scope, description, icon, restricted, default_scope, structured, structured_param_description)
+  SELECT scope, description, icon, restricted, default_scope, structured, structured_param_description FROM system_scope_TEMP
+  ON CONFLICT(scope)
+  DO NOTHING;
+
 
 COMMIT;
 
-SET AUTOCOMMIT TRUE;
+SET AUTOCOMMIT = ON;
diff --git a/perun-oidc-server-overlay/src/main/resources/db/tables/loading_temp_tables.sql b/perun-oidc-server-overlay/src/main/resources/db/tables/loading_temp_tables.sql
@@ -6,12 +6,14 @@
 CREATE TEMPORARY TABLE IF NOT EXISTS authorities_TEMP (
       username varchar(50) not null,
       authority varchar(50) not null,
-      constraint ix_authority_TEMP unique (username,authority));
+      constraint ix_authority_TEMP unique (username,authority)
+);
 
 CREATE TEMPORARY TABLE IF NOT EXISTS users_TEMP (
       username varchar(50) not null primary key,
       password varchar(50) not null,
-      enabled boolean not null);
+      enabled boolean not null
+);
 
 CREATE TEMPORARY TABLE IF NOT EXISTS user_info_TEMP (
 	sub VARCHAR(256) not null primary key,

diff --git a/perun-oidc-server-overlay/src/main/resources/db/tables/psql_database_indexes.sql b/perun-oidc-server-overlay/src/main/resources/db/tables/psql_database_indexes.sql
@@ -0,0 +1,18 @@
+--
+-- Indexes for PostgreSQL
+--
+
+CREATE INDEX IF NOT EXISTS at_tv_idx ON access_token(token_value);
+CREATE INDEX IF NOT EXISTS ts_oi_idx ON token_scope(owner_id);
+CREATE INDEX IF NOT EXISTS at_exp_idx ON access_token(expiration);
+CREATE INDEX IF NOT EXISTS rf_ahi_idx ON refresh_token(auth_holder_id);
+CREATE INDEX IF NOT EXISTS cd_ci_idx ON client_details(client_id);
+CREATE INDEX IF NOT EXISTS at_ahi_idx ON access_token(auth_holder_id);
+CREATE INDEX IF NOT EXISTS aha_oi_idx ON authentication_holder_authority(owner_id);
+CREATE INDEX IF NOT EXISTS ahe_oi_idx ON authentication_holder_extension(owner_id);
+CREATE INDEX IF NOT EXISTS ahrp_oi_idx ON authentication_holder_request_parameter(owner_id);
+CREATE INDEX IF NOT EXISTS ahri_oi_idx ON authentication_holder_resource_id(owner_id);
+CREATE INDEX IF NOT EXISTS ahrt_oi_idx ON authentication_holder_response_type(owner_id);
+CREATE INDEX IF NOT EXISTS ahs_oi_idx ON authentication_holder_scope(owner_id);
+CREATE INDEX IF NOT EXISTS ac_ahi_idx ON authorization_code(auth_holder_id);
+CREATE INDEX IF NOT EXISTS suaa_oi_idx ON saved_user_auth_authority(owner_id);