Merge pull request #138 from ExclamationLabs/2024/05/FIN-492_secure_a…

…ll_oauth_passwords

FIN-492 Secure all oauth passwords/secret

CHANGELOG.md

@@ -9,6 +9,7 @@ and minimize the interactions with the ConnId framework and have much of that
 taken care of by a common API.
 
 # Change Log
++ **4.2** - FIN-492 - Secure all Auth password (05/23/2024)
 + **4.1.14** - FIN-10315 - Change cancellation errors to log warn to resolve UKG import issue (03/04/2024)
 + **4.1.13** - FIN-11284 - Adopt Gradle lockfile and include preparatory steps for JDK 17 in future (02/07/2024)
 + **4.1.12** - FIN-11284 - Update Spring to 2.7.18 (02/06/2024)

gradle.properties

@@ -1,4 +1,4 @@
-software_version=4.1.14
+software_version=4.2
 test_connector_version=3.0.1
 spring_boot_version=2.7.18
 

src/main/java/com/exclamationlabs/connid/base/connector/authenticator/DirectAccessTokenAuthenticator.java

@@ -17,6 +17,7 @@
 package com.exclamationlabs.connid.base.connector.authenticator;
 
 import com.exclamationlabs.connid.base.connector.configuration.basetypes.security.authenticator.DirectAccessTokenConfiguration;
+import com.exclamationlabs.connid.base.connector.util.GuardedStringUtil;
 import org.identityconnectors.framework.common.exceptions.ConnectorSecurityException;
 
 public class DirectAccessTokenAuthenticator
@@ -25,6 +26,6 @@ public class DirectAccessTokenAuthenticator
   @Override
   public String authenticate(DirectAccessTokenConfiguration configuration)
       throws ConnectorSecurityException {
-    return configuration.getToken();
+    return GuardedStringUtil.read(configuration.getToken());
   }
 }

src/main/java/com/exclamationlabs/connid/base/connector/authenticator/JWTHS256Authenticator.java

@@ -20,6 +20,7 @@
 import com.auth0.jwt.algorithms.Algorithm;
 import com.auth0.jwt.exceptions.JWTCreationException;
 import com.exclamationlabs.connid.base.connector.configuration.basetypes.security.authenticator.JwtHs256Configuration;
+import com.exclamationlabs.connid.base.connector.util.GuardedStringUtil;
 import java.util.*;
 import org.identityconnectors.framework.common.exceptions.ConnectorSecurityException;
 
@@ -35,7 +36,7 @@ public String authenticate(JwtHs256Configuration configuration)
     try {
       long expirationLength = configuration.getExpirationPeriod();
       Date expirationDate = new Date(System.currentTimeMillis() + expirationLength);
-      Algorithm algorithm = Algorithm.HMAC256(configuration.getSecret());
+      Algorithm algorithm = Algorithm.HMAC256(GuardedStringUtil.read(configuration.getSecret()));
       Map<String, Object> headerClaims = new HashMap<>();
       headerClaims.put("alg", "HS256");
       headerClaims.put("typ", "JWT");

src/main/java/com/exclamationlabs/connid/base/connector/authenticator/OAuth2TokenAuthorizationCodeAuthenticator.java

@@ -18,6 +18,7 @@
 
 import com.exclamationlabs.connid.base.connector.authenticator.util.OAuth2TokenExecution;
 import com.exclamationlabs.connid.base.connector.configuration.basetypes.security.authenticator.Oauth2AuthorizationCodeConfiguration;
+import com.exclamationlabs.connid.base.connector.util.GuardedStringUtil;
 import com.google.gson.GsonBuilder;
 import java.io.IOException;
 import java.util.*;
@@ -52,12 +53,15 @@ public String authenticate(Oauth2AuthorizationCodeConfiguration configuration)
       HttpPost request = new HttpPost(configuration.getTokenUrl());
       List<NameValuePair> form = new ArrayList<>();
       form.add(new BasicNameValuePair("grant_type", getGrantType()));
-      form.add(new BasicNameValuePair("code", configuration.getAuthorizationCode()));
+      form.add(
+          new BasicNameValuePair(
+              "code", GuardedStringUtil.read(configuration.getAuthorizationCode())));
       if (StringUtils.isNotBlank(configuration.getClientId())) {
         form.add(new BasicNameValuePair("client_id", configuration.getClientId()));
       }
-      if (StringUtils.isNotBlank(configuration.getClientSecret())) {
-        form.add(new BasicNameValuePair("client_secret", configuration.getClientSecret()));
+      String secretValue = GuardedStringUtil.read(configuration.getClientSecret());
+      if (StringUtils.isNotBlank(secretValue)) {
+        form.add(new BasicNameValuePair("client_secret", secretValue));
       }
       if (StringUtils.isNotBlank(configuration.getRedirectUri())) {
         form.add(new BasicNameValuePair("redirect_uri", configuration.getRedirectUri()));

src/main/java/com/exclamationlabs/connid/base/connector/authenticator/OAuth2TokenPasswordAuthenticator.java

@@ -18,6 +18,7 @@
 
 import com.exclamationlabs.connid.base.connector.authenticator.util.OAuth2TokenExecution;
 import com.exclamationlabs.connid.base.connector.configuration.basetypes.security.authenticator.Oauth2PasswordConfiguration;
+import com.exclamationlabs.connid.base.connector.util.GuardedStringUtil;
 import com.google.gson.GsonBuilder;
 import java.io.IOException;
 import java.util.*;
@@ -50,7 +51,9 @@ public String authenticate(Oauth2PasswordConfiguration configuration)
       List<NameValuePair> form = new ArrayList<>();
       form.add(new BasicNameValuePair("grant_type", getGrantType()));
       form.add(new BasicNameValuePair("username", configuration.getOauth2Username()));
-      form.add(new BasicNameValuePair("password", configuration.getOauth2Password()));
+      form.add(
+          new BasicNameValuePair(
+              "password", GuardedStringUtil.read(configuration.getOauth2Password())));
       addAdditionalFormFields(form);
       UrlEncodedFormEntity entity = new UrlEncodedFormEntity(form, Consts.UTF_8);
       request.setHeader(HttpHeaders.CONTENT_TYPE, "application/x-www-form-urlencoded");

src/main/java/com/exclamationlabs/connid/base/connector/authenticator/OAuth2TokenRefreshTokenAuthenticator.java

@@ -18,6 +18,7 @@
 
 import com.exclamationlabs.connid.base.connector.authenticator.util.OAuth2TokenExecution;
 import com.exclamationlabs.connid.base.connector.configuration.basetypes.security.authenticator.Oauth2RefreshTokenConfiguration;
+import com.exclamationlabs.connid.base.connector.util.GuardedStringUtil;
 import com.google.gson.GsonBuilder;
 import java.io.IOException;
 import java.util.*;
@@ -56,8 +57,10 @@ public String authenticate(Oauth2RefreshTokenConfiguration configuration)
       if (StringUtils.isNotBlank(configuration.getClientId())) {
         form.add(new BasicNameValuePair("client_id", configuration.getClientId()));
       }
-      if (StringUtils.isNotBlank(configuration.getClientSecret())) {
-        form.add(new BasicNameValuePair("client_secret", configuration.getClientSecret()));
+
+      String passwordValue = GuardedStringUtil.read(configuration.getClientSecret());
+      if (StringUtils.isNotBlank(passwordValue)) {
+        form.add(new BasicNameValuePair("client_secret", passwordValue));
       }
       addAdditionalFormFields(form);
 

src/main/java/com/exclamationlabs/connid/base/connector/authenticator/keys/JKSRSAPrivateKeyLoader.java

@@ -18,6 +18,7 @@
 
 import com.exclamationlabs.connid.base.connector.authenticator.util.FileLoaderUtil;
 import com.exclamationlabs.connid.base.connector.configuration.basetypes.security.JksConfiguration;
+import com.exclamationlabs.connid.base.connector.util.GuardedStringUtil;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.security.*;
@@ -34,7 +35,8 @@ public RSAPrivateKey load(JksConfiguration configuration) throws ConnectorSecuri
     RSAPrivateKey privateKey;
     try {
       keystore = KeyStore.getInstance("JKS");
-      char[] keystorePassword = configuration.getJksPassword().toCharArray();
+      char[] keystorePassword =
+          GuardedStringUtil.read(configuration.getJksPassword()).toCharArray();
       String jksFile =
           FileLoaderUtil.getFileLocation(
               configuration.getName(), "jksFile", configuration.getJksFile());

src/main/java/com/exclamationlabs/connid/base/connector/configuration/basetypes/security/HttpBasicAuthConfiguration.java

@@ -17,6 +17,7 @@
 package com.exclamationlabs.connid.base.connector.configuration.basetypes.security;
 
 import com.exclamationlabs.connid.base.connector.configuration.ConnectorConfiguration;
+import org.identityconnectors.common.security.GuardedString;
 
 /**
  * Configuration properties for connectors that require HTTP Basic Authentication at their
@@ -27,7 +28,7 @@ public interface HttpBasicAuthConfiguration extends ConnectorConfiguration {
 
   void setBasicUsername(String input);
 
-  String getBasicPassword();
+  GuardedString getBasicPassword();
 
-  void setBasicPassword(String input);
+  void setBasicPassword(GuardedString input);
 }

src/main/java/com/exclamationlabs/connid/base/connector/configuration/basetypes/security/JksConfiguration.java

@@ -17,6 +17,7 @@
 package com.exclamationlabs.connid.base.connector.configuration.basetypes.security;
 
 import com.exclamationlabs.connid.base.connector.configuration.ConnectorConfiguration;
+import org.identityconnectors.common.security.GuardedString;
 
 /**
  * Configuration properties for connectors that need to provide a JKS file as part of their
@@ -27,9 +28,9 @@ public interface JksConfiguration extends ConnectorConfiguration {
 
   void setJksFile(String input);
 
-  String getJksPassword();
+  GuardedString getJksPassword();
 
-  void setJksPassword(String input);
+  void setJksPassword(GuardedString input);
 
   String getJksAlias();
 

src/main/java/com/exclamationlabs/connid/base/connector/configuration/basetypes/security/authenticator/DirectAccessTokenConfiguration.java

@@ -17,10 +17,11 @@
 package com.exclamationlabs.connid.base.connector.configuration.basetypes.security.authenticator;
 
 import com.exclamationlabs.connid.base.connector.configuration.ConnectorConfiguration;
+import org.identityconnectors.common.security.GuardedString;
 
 /** Configuration properties for connectors that require a fixed token for authentication. */
 public interface DirectAccessTokenConfiguration extends ConnectorConfiguration {
-  String getToken();
+  GuardedString getToken();
 
-  void setToken(String input);
+  void setToken(GuardedString input);
 }

src/main/java/com/exclamationlabs/connid/base/connector/configuration/basetypes/security/authenticator/JwtHs256Configuration.java

@@ -17,6 +17,7 @@
 package com.exclamationlabs.connid.base.connector.configuration.basetypes.security.authenticator;
 
 import com.exclamationlabs.connid.base.connector.configuration.ConnectorConfiguration;
+import org.identityconnectors.common.security.GuardedString;
 
 /**
  * Configuration for connectors that require using the HS256 strategy for authentication. JWS: HS256
@@ -27,9 +28,9 @@ public interface JwtHs256Configuration extends ConnectorConfiguration {
 
   void setIssuer(String input);
 
-  String getSecret();
+  GuardedString getSecret();
 
-  void setSecret(String input);
+  void setSecret(GuardedString input);
 
   Long getExpirationPeriod();
 

src/main/java/com/exclamationlabs/connid/base/connector/configuration/basetypes/security/authenticator/Oauth2AuthorizationCodeConfiguration.java

@@ -17,6 +17,7 @@
 package com.exclamationlabs.connid.base.connector.configuration.basetypes.security.authenticator;
 
 import com.exclamationlabs.connid.base.connector.configuration.ConnectorConfiguration;
+import org.identityconnectors.common.security.GuardedString;
 
 /**
  * Configuration properties for connectors that authenticate using the OAuth2 "authorization_code"
@@ -28,17 +29,17 @@ public interface Oauth2AuthorizationCodeConfiguration
 
   void setTokenUrl(String input);
 
-  String getAuthorizationCode();
+  GuardedString getAuthorizationCode();
 
-  void setAuthorizationCode(String input);
+  void setAuthorizationCode(GuardedString input);
 
   String getClientId();
 
   void setClientId(String input);
 
-  String getClientSecret();
+  GuardedString getClientSecret();
 
-  void setClientSecret(String input);
+  void setClientSecret(GuardedString input);
 
   String getRedirectUri();
 

src/main/java/com/exclamationlabs/connid/base/connector/configuration/basetypes/security/authenticator/Oauth2PasswordConfiguration.java

@@ -17,6 +17,7 @@
 package com.exclamationlabs.connid.base.connector.configuration.basetypes.security.authenticator;
 
 import com.exclamationlabs.connid.base.connector.configuration.ConnectorConfiguration;
+import org.identityconnectors.common.security.GuardedString;
 
 /**
  * Configuration properties for connectors that authenticate using the OAuth2 "password" grant type.
@@ -26,15 +27,15 @@ public interface Oauth2PasswordConfiguration extends ConnectorConfiguration, Oau
 
   void setTokenUrl(String input);
 
-  String getEncodedSecret();
+  GuardedString getEncodedSecret();
 
-  void setEncodedSecret(String input);
+  void setEncodedSecret(GuardedString input);
 
   String getOauth2Username();
 
   void setOauth2Username(String input);
 
-  String getOauth2Password();
+  GuardedString getOauth2Password();
 
-  void setOauth2Password(String input);
+  void setOauth2Password(GuardedString input);
 }

src/main/java/com/exclamationlabs/connid/base/connector/configuration/basetypes/security/authenticator/Oauth2RefreshTokenConfiguration.java

@@ -17,6 +17,7 @@
 package com.exclamationlabs.connid.base.connector.configuration.basetypes.security.authenticator;
 
 import com.exclamationlabs.connid.base.connector.configuration.ConnectorConfiguration;
+import org.identityconnectors.common.security.GuardedString;
 
 /**
  * Configuration properties for connectors that authenticate using the OAuth2 "refresh_token" grant
@@ -36,7 +37,7 @@ public interface Oauth2RefreshTokenConfiguration
 
   void setClientId(String input);
 
-  String getClientSecret();
+  GuardedString getClientSecret();
 
-  void setClientSecret(String input);
+  void setClientSecret(GuardedString input);
 }

src/main/java/com/exclamationlabs/connid/base/connector/driver/rest/BaseRestDriver.java

@@ -28,6 +28,7 @@
 import com.exclamationlabs.connid.base.connector.driver.rest.util.CustomConnectionSocketFactory;
 import com.exclamationlabs.connid.base.connector.driver.rest.util.HttpDeleteWithBody;
 import com.exclamationlabs.connid.base.connector.logging.Logger;
+import com.exclamationlabs.connid.base.connector.util.GuardedStringUtil;
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
 import com.google.gson.JsonSyntaxException;
@@ -195,7 +196,8 @@ protected CredentialsProvider setupBasicAuth(HttpBasicAuthConfiguration configur
     CredentialsProvider basicAuthProvider = new BasicCredentialsProvider();
     UsernamePasswordCredentials credentials =
         new UsernamePasswordCredentials(
-            configuration.getBasicUsername(), configuration.getBasicPassword());
+            configuration.getBasicUsername(),
+            GuardedStringUtil.read(configuration.getBasicPassword()));
     basicAuthProvider.setCredentials(AuthScope.ANY, credentials);
     return basicAuthProvider;
   }

src/test/java/com/exclamationlabs/connid/base/connector/authenticator/DirectAccessTokenAuthenticatorTest.java

@@ -22,6 +22,7 @@
 import com.exclamationlabs.connid.base.connector.configuration.ConfigurationInfo;
 import com.exclamationlabs.connid.base.connector.configuration.DefaultConnectorConfiguration;
 import com.exclamationlabs.connid.base.connector.configuration.basetypes.security.authenticator.DirectAccessTokenConfiguration;
+import org.identityconnectors.common.security.GuardedString;
 import org.identityconnectors.framework.common.exceptions.ConnectorSecurityException;
 import org.junit.jupiter.api.Test;
 
@@ -47,15 +48,15 @@ static class TestConfiguration extends DefaultConnectorConfiguration
       implements DirectAccessTokenConfiguration {
 
     @ConfigurationInfo(path = "security.authenticator.directAccessToken.token")
-    private String token;
+    private GuardedString token;
 
     @Override
-    public String getToken() {
+    public GuardedString getToken() {
       return token;
     }
 
     @Override
-    public void setToken(String input) {
+    public void setToken(GuardedString input) {
       token = input;
     }
   }

src/test/java/com/exclamationlabs/connid/base/connector/authenticator/integration/JWTHS256AuthenticatorTest.java

@@ -23,6 +23,7 @@
 import com.exclamationlabs.connid.base.connector.configuration.*;
 import com.exclamationlabs.connid.base.connector.configuration.basetypes.security.authenticator.JwtHs256Configuration;
 import com.exclamationlabs.connid.base.connector.test.IntegrationTest;
+import org.identityconnectors.common.security.GuardedString;
 import org.junit.jupiter.api.Test;
 
 public class JWTHS256AuthenticatorTest extends IntegrationTest {
@@ -53,7 +54,7 @@ public TestConfiguration(String nameIn) {
     private String issuer;
 
     @ConfigurationInfo(path = "security.authenticator.jwtHs256.secret")
-    private String secret;
+    private GuardedString secret;
 
     @ConfigurationInfo(path = "security.authenticator.jwtHs256.expirationPeriod")
     private Long expirationPeriod;
@@ -69,12 +70,12 @@ public void setIssuer(String input) {
     }
 
     @Override
-    public String getSecret() {
+    public GuardedString getSecret() {
       return secret;
     }
 
     @Override
-    public void setSecret(String input) {
+    public void setSecret(GuardedString input) {
       secret = input;
     }