fix jooby-project#10 sign session cookieID, ONLY if an application.secret is provided

jknack · jknack · commit 406056b8d909 · 2014-12-13T18:31:12.000-03:00
diff --git a/jooby/src/main/java/org/jooby/Cookie.java b/jooby/src/main/java/org/jooby/Cookie.java
@@ -20,6 +20,8 @@
 
 import static java.util.Objects.requireNonNull;
 
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
 import java.util.Optional;
 import java.util.regex.Pattern;
 
@@ -411,9 +413,11 @@ class Signature {
      * @param value A value to sign.
      * @param secret A secret key.
      * @return A signed value.
-     * @throws Exception When signature isn't possible.
+     * @throws NoSuchAlgorithmException If {@link #HMAC_SHA256} is missing.
+     * @throws InvalidKeyException If secret key is wrong (bad encoding, too short, etc.)
      */
-    public static String sign(final String value, final String secret) throws Exception {
+    public static String sign(final String value, final String secret)
+        throws NoSuchAlgorithmException, InvalidKeyException {
       requireNonNull(value, "A value is required.");
       requireNonNull(secret, "A secret is required.");
 
@@ -430,9 +434,11 @@ public static String sign(final String value, final String secret) throws Except
      * @param value A signed value.
      * @param secret A secret key.
      * @return A new signed value.
-     * @throws Exception When signature isn't possible.
+     * @throws NoSuchAlgorithmException If {@link #HMAC_SHA256} is missing.
+     * @throws InvalidKeyException If secret key is wrong (bad encoding, too short, etc.)
      */
-    public static String unsign(final String value, final String secret) throws Exception {
+    public static String unsign(final String value, final String secret)
+        throws InvalidKeyException, NoSuchAlgorithmException {
       requireNonNull(value, "A value is required.");
       requireNonNull(secret, "A secret is required.");
       int dot = value.indexOf(SEP);
@@ -448,9 +454,11 @@ public static String unsign(final String value, final String secret) throws Exce
      * @param value A signed value.
      * @param secret A secret key.
      * @return True, if the given signed value is valid.
-     * @throws Exception When signature isn't possible.
+     * @throws NoSuchAlgorithmException If {@link #HMAC_SHA256} is missing.
+     * @throws InvalidKeyException If secret key is wrong (bad encoding, too short, etc.)
      */
-    public static boolean valid(final String value, final String secret) throws Exception {
+    public static boolean valid(final String value, final String secret)
+        throws InvalidKeyException, NoSuchAlgorithmException {
       return value.equals(unsign(value, secret));
     }
 
diff --git a/jooby/src/main/java/org/jooby/Jooby.java b/jooby/src/main/java/org/jooby/Jooby.java
@@ -1996,17 +1996,6 @@ private Config buildConfig(final Config source) {
         .get()
         .getString("application.env");
 
-    String secret = Arrays
-        .asList(system, source, jooby)
-        .stream()
-        .filter(it -> it.hasPath("application.secret"))
-        .findFirst()
-        .orElseGet(() ->
-            ConfigFactory.empty()
-                .withValue("application.secret", ConfigValueFactory.fromAnyRef(""))
-        )
-        .getString("application.secret");
-
     Config modeConfig = modeConfig(source, env);
 
     // application.[env].conf -> application.conf
@@ -2016,7 +2005,7 @@ private Config buildConfig(final Config source) {
         .withFallback(config)
         .withFallback(moduleStack)
         .withFallback(MediaType.types)
-        .withFallback(defaultConfig(config, env, secret))
+        .withFallback(defaultConfig(config, env))
         .withFallback(jooby)
         .resolve();
   }
@@ -2069,10 +2058,9 @@ private Config fileConfig(final String fname) {
    *
    * @param config A source config.
    * @param env Application env.
-   * @param secret Application secret.
    * @return default properties.
    */
-  private Config defaultConfig(final Config config, final String env, final String secret) {
+  private Config defaultConfig(final Config config, final String env) {
     Map<String, Object> defaults = new LinkedHashMap<>();
 
     // set app name
@@ -2101,19 +2089,6 @@ private Config defaultConfig(final Config config, final String env, final String
       defaults.put("numberFormat", pattern);
     }
 
-    // last check app secret
-    if (secret.length() == 0) {
-      if ("dev".equalsIgnoreCase(env)) {
-        // it will survive between restarts and allow to have different apps running for
-        // development.
-        String devRandomSecret = getClass().getResource(getClass().getSimpleName() + ".class")
-            .toString();
-        defaults.put("secret", devRandomSecret);
-      } else {
-        throw new IllegalStateException("No application.secret has been defined");
-      }
-    }
-
     Map<String, Object> application = ImmutableMap.of("application", defaults);
     return ConfigValueFactory.fromMap(application).toConfig();
   }
diff --git a/jooby/src/main/java/org/jooby/Session.java b/jooby/src/main/java/org/jooby/Session.java
@@ -22,7 +22,6 @@
 
 import java.util.Map;
 import java.util.Optional;
-import java.util.UUID;
 
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
@@ -291,13 +290,14 @@ public void delete(final String id) {
     void delete(@Nonnull String id) throws Exception;
 
     /**
-     * Generate a session ID.
+     * Generate a session ID, if <code>null</code> is returned the default ID generator will be
+     * use it.
      *
      * @param seed A seed to use (if need it).
      * @return A unique session ID.
      */
     default String generateID(final long seed) {
-      return UUID.randomUUID().toString();
+      return null;
     }
   }
 
diff --git a/jooby/src/main/java/org/jooby/internal/jetty/JettyServerBuilder.java b/jooby/src/main/java/org/jooby/internal/jetty/JettyServerBuilder.java
@@ -47,9 +47,6 @@
 import org.eclipse.jetty.websocket.api.WebSocketBehavior;
 import org.eclipse.jetty.websocket.api.WebSocketPolicy;
 import org.eclipse.jetty.websocket.server.WebSocketServerFactory;
-import org.eclipse.jetty.websocket.servlet.ServletUpgradeRequest;
-import org.eclipse.jetty.websocket.servlet.ServletUpgradeResponse;
-import org.eclipse.jetty.websocket.servlet.WebSocketCreator;
 import org.jooby.Session;
 import org.jooby.Session.Store;
 import org.jooby.WebSocket;
@@ -135,7 +132,8 @@ public static Server build(final Config config, final RouteHandler routeHandler)
      */
     Session.Store store = sessionDef.store();
     Session.Store forwardingStore = fwdStore(store);
-    String secret = config.getString("application.secret");
+    String secret = config.hasPath("application.secret")
+        ? config.getString("application.secret") : null;
     JoobySessionManager sessionManager = new JoobySessionManager(forwardingStore, secret);
     Config $session = config.getConfig("application.session");
 
@@ -190,21 +188,17 @@ public static Server build(final Config config, final RouteHandler routeHandler)
       WebSocketPolicy policy = configure(new WebSocketPolicy(WebSocketBehavior.SERVER),
           config.getConfig("jetty.ws.policy"));
       WebSocketServerFactory socketServerFactory = new WebSocketServerFactory(policy);
-      socketServerFactory.setCreator(new WebSocketCreator() {
-        @Override
-        public Object createWebSocket(final ServletUpgradeRequest req,
-            final ServletUpgradeResponse resp) {
-          String path = req.getRequestPath();
-          for (WebSocket.Definition socketDef : sockets) {
-            Optional<WebSocket> matches = socketDef.matches(path);
-            if (matches.isPresent()) {
-              WebSocketImpl socket = (WebSocketImpl) matches.get();
-              return new JettyWebSocketHandler(injector, config, socket);
-            }
-          }
-          return null;
-        }
-      });
+      socketServerFactory.setCreator((req, resp) -> {
+     String path = req.getRequestPath();
+     for (WebSocket.Definition socketDef : sockets) {
+      Optional<WebSocket> matches = socketDef.matches(path);
+      if (matches.isPresent()) {
+        WebSocketImpl socket = (WebSocketImpl) matches.get();
+        return new JettyWebSocketHandler(injector, config, socket);
+      }
+     }
+     return null;
+    });
 
       handler.addBean(socketServerFactory);
     }
@@ -250,7 +244,7 @@ public void lifeCycleStarted(final LifeCycle event) {
     return server;
   }
 
-  private static Store fwdStore(Session.Store store) {
+  private static Store fwdStore(final Session.Store store) {
     return new Session.Store() {
 
       @Override
diff --git a/jooby/src/main/java/org/jooby/internal/jetty/JoobySession.java b/jooby/src/main/java/org/jooby/internal/jetty/JoobySession.java
@@ -20,6 +20,8 @@
 
 import static java.util.Objects.requireNonNull;
 
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
 import java.util.Map;
 import java.util.Optional;
 import java.util.concurrent.TimeUnit;
@@ -130,15 +132,17 @@ public boolean access(final long time) {
   public boolean isValid() {
     boolean valid = super.isValid();
     if (valid) {
-      try {
-        String sessionId = getClusterId();
-        if (!Cookie.Signature.valid(sessionId, secret)) {
-          Session.log.warn("cookie signature invalid: {}", sessionId);
+      if (secret != null) {
+        try {
+          String sessionId = getClusterId();
+          if (!Cookie.Signature.valid(sessionId, secret)) {
+            Session.log.warn("cookie signature invalid: {}", sessionId);
+            return false;
+          }
+        } catch (NoSuchAlgorithmException | InvalidKeyException ex) {
+          Session.log.warn("cookie signature invalid: " + getClusterId(), ex);
           return false;
         }
-      } catch (Exception ex) {
-        Session.log.warn("cookie signature invalid: " + getClusterId(), ex);
-        return false;
       }
     }
     return valid;
diff --git a/jooby/src/main/java/org/jooby/internal/jetty/JoobySessionIdManager.java b/jooby/src/main/java/org/jooby/internal/jetty/JoobySessionIdManager.java
@@ -20,6 +20,10 @@
 
 import static java.util.Objects.requireNonNull;
 
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.util.Optional;
+
 import org.eclipse.jetty.server.session.HashSessionIdManager;
 import org.jooby.Cookie;
 import org.jooby.Session.Store;
@@ -32,17 +36,21 @@ public class JoobySessionIdManager extends HashSessionIdManager {
 
   public JoobySessionIdManager(final Store generator, final String secret) {
     this.generator = requireNonNull(generator, "A ID generator is required.");
-    this.secret = requireNonNull(secret, "An application.secret is required.");
+    this.secret = secret;
   }
 
   @Override
   public String newSessionId(final long seedTerm) {
+    // generate ID.
+    String id = Optional.ofNullable(generator.generateID(seedTerm))
+        .orElse(super.newSessionId(seedTerm));
+
+    if (secret == null) {
+      return id;
+    }
     try {
-      String id = generator.generateID(seedTerm);
       return Cookie.Signature.sign(id, secret);
-    } catch (RuntimeException ex) {
-      throw ex;
-    } catch (Exception ex) {
+    } catch (InvalidKeyException | NoSuchAlgorithmException ex) {
       throw new IllegalStateException("Can't sign session ID", ex);
     }
   }
diff --git a/jooby/src/main/java/org/jooby/internal/jetty/JoobySessionManager.java b/jooby/src/main/java/org/jooby/internal/jetty/JoobySessionManager.java
@@ -49,7 +49,7 @@ public class JoobySessionManager extends AbstractSessionManager {
 
   public JoobySessionManager(final Session.Store store, final String secret) {
     this.store = requireNonNull(store, "A session store is required.");
-    this.secret = requireNonNull(secret, "An application secret is required.");
+    this.secret = secret;
     setSessionIdManager(new JoobySessionIdManager(store, secret));
   }
 
diff --git a/jooby/src/test/java/org/jooby/JoobyTest.java b/jooby/src/test/java/org/jooby/JoobyTest.java
@@ -33,8 +33,8 @@
 import org.jooby.fn.Switch;
 import org.jooby.internal.AssetFormatter;
 import org.jooby.internal.BuiltinBodyConverter;
-import org.jooby.internal.RouteMetadata;
 import org.jooby.internal.RouteImpl;
+import org.jooby.internal.RouteMetadata;
 import org.jooby.internal.Server;
 import org.jooby.internal.TypeConverters;
 import org.jooby.internal.jetty.JettyServer;
@@ -356,43 +356,6 @@ public Object m1() {
     TypeConverters.configure(unit.get(Binder.class));
   };
 
-  @Test(expected = IllegalStateException.class)
-  public void noApplicationSecret() throws Exception {
-
-    new MockUnit(Binder.class)
-        .expect(guice)
-        .expect(shutdown)
-        .expect(config)
-        .expect(env)
-        .expect(charset)
-        .expect(locale)
-        .expect(zoneId)
-        .expect(timeZone)
-        .expect(dateTimeFormatter)
-        .expect(numberFormat)
-        .expect(decimalFormat)
-        .expect(bodyParser)
-        .expect(bodyFormatter)
-        .expect(session)
-        .expect(routes)
-        .expect(webSockets)
-        .expect(reqModules)
-        .expect(tmpdir)
-        .expect(err)
-        .run(
-            unit -> {
-
-              Jooby jooby = new Jooby();
-
-              jooby.use(ConfigFactory.empty()
-                  .withValue("application.env", ConfigValueFactory.fromAnyRef("prod"))
-                  );
-
-              jooby.start();
-
-            }, boot);
-  }
-
   @Test
   public void applicationSecret() throws Exception {
 
diff --git a/jooby/src/test/java/org/jooby/SessionNoopTest.java b/jooby/src/test/java/org/jooby/SessionNoopTest.java
@@ -1,6 +1,5 @@
 package org.jooby;
 
-import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 
 import org.jooby.Session.Store.SaveReason;
@@ -13,7 +12,7 @@ public void noop() throws Exception {
     new MockUnit(Session.Builder.class, Session.class)
         .run(unit -> {
           Session.Store.NOOP.delete("id");
-          assertNotNull(Session.Store.NOOP.generateID(0));
+          assertNull(Session.Store.NOOP.generateID(0));
           assertNull(Session.Store.NOOP.get(unit.get(Session.Builder.class)));
           Session.Store.NOOP.save(unit.get(Session.class), SaveReason.NEW);
         });
diff --git a/jooby/src/test/java/org/jooby/integration/SessionCookieFeature.java b/jooby/src/test/java/org/jooby/integration/SessionCookieFeature.java
@@ -34,7 +34,6 @@ public class SessionCookieFeature extends ServerFeature {
       @Override
       public void save(final Session session, final SaveReason reason) {
         assertNotNull(session);
-        session.set("saves", ((int) session.get("saves").orElse(0)) + 1);
       }
 
       @Override
diff --git a/jooby/src/test/java/org/jooby/integration/SessionCookieNoSecretFeature.java b/jooby/src/test/java/org/jooby/integration/SessionCookieNoSecretFeature.java

Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,7 @@ public class JoobySessionManager extends AbstractSessionManager {`
`49`	`49`
`50`	`50`	`public JoobySessionManager(final Session.Store store, final String secret) {`
`51`	`51`	`this.store = requireNonNull(store, "A session store is required.");`
`52`		`- this.secret = requireNonNull(secret, "An application secret is required.");`
	`52`	`+ this.secret = secret;`
`53`	`53`	`setSessionIdManager(new JoobySessionIdManager(store, secret));`
`54`	`54`	`}`
`55`	`55`
Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,6 @@ public class SessionCookieFeature extends ServerFeature {`
`34`	`34`	`@Override`
`35`	`35`	`public void save(final Session session, final SaveReason reason) {`
`36`	`36`	`assertNotNull(session);`
`37`		`- session.set("saves", ((int) session.get("saves").orElse(0)) + 1);`
`38`	`37`	`}`
`39`	`38`
`40`	`39`	`@Override`