From 53feeb30e719c426f94377c1843b12ac1e513bfa Mon Sep 17 00:00:00 2001 From: Oleh Onufryk Date: Mon, 21 Oct 2024 23:29:08 +0300 Subject: [PATCH] gh-1246: AWS Cognito Integration 1.0 --- .../cognito/CognitoAutoConfiguration.java | 4 +- .../cognito/CognitoProperties.java | 7 ++ .../cloud/cognito/CognitoAuthOperations.java | 78 +++++++++++++ .../cloud/cognito/CognitoParameters.java | 49 ++++++++ .../cloud/cognito/CognitoTemplate.java | 110 ++++++++++++++++++ .../awspring/cloud/cognito/CognitoUtils.java | 50 ++++++++ .../awspring/cloud/cognito/package-info.java | 22 ++++ spring-cloud-aws-dependencies/pom.xml | 6 + 8 files changed, 324 insertions(+), 2 deletions(-) create mode 100644 spring-cloud-aws-cognito/src/main/java/io/awspring/cloud/cognito/CognitoAuthOperations.java create mode 100644 spring-cloud-aws-cognito/src/main/java/io/awspring/cloud/cognito/CognitoParameters.java create mode 100644 spring-cloud-aws-cognito/src/main/java/io/awspring/cloud/cognito/CognitoTemplate.java create mode 100644 spring-cloud-aws-cognito/src/main/java/io/awspring/cloud/cognito/CognitoUtils.java create mode 100644 spring-cloud-aws-cognito/src/main/java/io/awspring/cloud/cognito/package-info.java diff --git a/spring-cloud-aws-autoconfigure/src/main/java/io/awspring/cloud/autoconfigure/cognito/CognitoAutoConfiguration.java b/spring-cloud-aws-autoconfigure/src/main/java/io/awspring/cloud/autoconfigure/cognito/CognitoAutoConfiguration.java index 43e2b032a..99a3efc62 100644 --- a/spring-cloud-aws-autoconfigure/src/main/java/io/awspring/cloud/autoconfigure/cognito/CognitoAutoConfiguration.java +++ b/spring-cloud-aws-autoconfigure/src/main/java/io/awspring/cloud/autoconfigure/cognito/CognitoAutoConfiguration.java @@ -60,10 +60,10 @@ public CognitoIdentityProviderClient cognitoIdentityProviderClient(CognitoProper @Bean @ConditionalOnMissingBean - @ConditionalOnProperty(name = {"spring.cloud.aws.cognito.clientId", "spring.cloud.aws.cognito.userPoolId"}) + @ConditionalOnProperty(name = { "spring.cloud.aws.cognito.client-id", "spring.cloud.aws.cognito.user-pool-id" }) public CognitoTemplate cognitoTemplate(CognitoProperties cognitoProperties, CognitoIdentityProviderClient cognitoIdentityProviderClient) { return new CognitoTemplate(cognitoIdentityProviderClient, cognitoProperties.getClientId(), - cognitoProperties.getUserPoolId()); + cognitoProperties.getUserPoolId(), cognitoProperties.getClientSecret()); } } diff --git a/spring-cloud-aws-autoconfigure/src/main/java/io/awspring/cloud/autoconfigure/cognito/CognitoProperties.java b/spring-cloud-aws-autoconfigure/src/main/java/io/awspring/cloud/autoconfigure/cognito/CognitoProperties.java index 7a937d4c0..a122a070c 100644 --- a/spring-cloud-aws-autoconfigure/src/main/java/io/awspring/cloud/autoconfigure/cognito/CognitoProperties.java +++ b/spring-cloud-aws-autoconfigure/src/main/java/io/awspring/cloud/autoconfigure/cognito/CognitoProperties.java @@ -18,6 +18,13 @@ import io.awspring.cloud.autoconfigure.AwsClientProperties; import org.springframework.boot.context.properties.ConfigurationProperties; +/** + * Configuration properties for AWS Cognito Integration + * + * @author Oleh Onufryk + * @since 3.3.0 + */ + @ConfigurationProperties(CognitoProperties.CONFIG_PREFIX) public class CognitoProperties extends AwsClientProperties { diff --git a/spring-cloud-aws-cognito/src/main/java/io/awspring/cloud/cognito/CognitoAuthOperations.java b/spring-cloud-aws-cognito/src/main/java/io/awspring/cloud/cognito/CognitoAuthOperations.java new file mode 100644 index 000000000..797f0c1e3 --- /dev/null +++ b/spring-cloud-aws-cognito/src/main/java/io/awspring/cloud/cognito/CognitoAuthOperations.java @@ -0,0 +1,78 @@ +/* + * Copyright 2013-2022 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package io.awspring.cloud.cognito; + +import java.util.List; +import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminCreateUserResponse; +import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminInitiateAuthResponse; +import software.amazon.awssdk.services.cognitoidentityprovider.model.AttributeType; +import software.amazon.awssdk.services.cognitoidentityprovider.model.ConfirmForgotPasswordResponse; +import software.amazon.awssdk.services.cognitoidentityprovider.model.ForgotPasswordResponse; +import software.amazon.awssdk.services.cognitoidentityprovider.model.RespondToAuthChallengeResponse; + +/** + * An Interface for the most common Cognito auth operations + * + * @author Oleh Onufryk + * @since 3.3.0 + */ + +public interface CognitoAuthOperations { + + /** + * Logs in a user using username and password + * @param username - the username + * @param password - the password + * @return {@link AdminInitiateAuthResponse} a result of login operation from the AWS Cognito + */ + AdminInitiateAuthResponse login(String username, String password); + + /** + * Creates a new user with provided attributes + * @param username - the username + * @param attributeTypes - the list of user attributes defined by user pool + * @return {@link AdminCreateUserResponse} a result of user creation operation from the AWS Cognito + */ + AdminCreateUserResponse createUser(String username, List attributeTypes); + + /** + * Resets password for a user + * @param username - the username + * @return {@link ForgotPasswordResponse} a result of password reset operation from the AWS Cognito + */ + ForgotPasswordResponse resetPassword(String username); + + /** + * Confirms password reset + * @param username - the username + * @param confirmationCode - the confirmation code for password reset operation + * @param newPassword - the new password + * @return {@link ConfirmForgotPasswordResponse} a result of password reset confirmation operation from the AWS + * Cognito + */ + ConfirmForgotPasswordResponse confirmResetPassword(String username, String confirmationCode, String newPassword); + + /** + * Sets a permanent password for a new user + * @param session - the session id returned by the login operation + * @param username - the username of the user + * @param password - the permanent password for user's account + * @return {@link RespondToAuthChallengeResponse} a result of setting permanent password operation from the AWS + * Cognito + */ + RespondToAuthChallengeResponse setPermanentPassword(String session, String username, String password); + +} diff --git a/spring-cloud-aws-cognito/src/main/java/io/awspring/cloud/cognito/CognitoParameters.java b/spring-cloud-aws-cognito/src/main/java/io/awspring/cloud/cognito/CognitoParameters.java new file mode 100644 index 000000000..96a79954a --- /dev/null +++ b/spring-cloud-aws-cognito/src/main/java/io/awspring/cloud/cognito/CognitoParameters.java @@ -0,0 +1,49 @@ +/* + * Copyright 2013-2022 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package io.awspring.cloud.cognito; + +/** + * Parameters used in AWS Cognito operations. + * + * @author Oleh Onufryk + * @since 3.3.0 + */ + +public final class CognitoParameters { + + private CognitoParameters() { + } + + /** + * Parameter represents username for a user. + */ + public static final String USERNAME_PARAM_NAME = "USERNAME"; + + /** + * Parameter represents password for a user. + */ + public static final String PASSWORD_PARAM_NAME = "PASSWORD"; + + /** + * Parameter represents a compute secret hash for a user. + */ + public static final String SECRET_HASH_PARAM_NAME = "SECRET_HASH"; + + /** + * Parameter represents a new password for a user. + */ + public static final String NEW_PASSWORD_PARAM_NAME = "NEW_PASSWORD"; +} diff --git a/spring-cloud-aws-cognito/src/main/java/io/awspring/cloud/cognito/CognitoTemplate.java b/spring-cloud-aws-cognito/src/main/java/io/awspring/cloud/cognito/CognitoTemplate.java new file mode 100644 index 000000000..79a6a5711 --- /dev/null +++ b/spring-cloud-aws-cognito/src/main/java/io/awspring/cloud/cognito/CognitoTemplate.java @@ -0,0 +1,110 @@ +/* + * Copyright 2013-2022 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package io.awspring.cloud.cognito; + +import java.util.List; +import java.util.Map; +import org.springframework.util.Assert; +import software.amazon.awssdk.services.cognitoidentityprovider.CognitoIdentityProviderClient; +import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminCreateUserRequest; +import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminCreateUserResponse; +import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminInitiateAuthRequest; +import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminInitiateAuthResponse; +import software.amazon.awssdk.services.cognitoidentityprovider.model.AttributeType; +import software.amazon.awssdk.services.cognitoidentityprovider.model.AuthFlowType; +import software.amazon.awssdk.services.cognitoidentityprovider.model.ChallengeNameType; +import software.amazon.awssdk.services.cognitoidentityprovider.model.ConfirmForgotPasswordRequest; +import software.amazon.awssdk.services.cognitoidentityprovider.model.ConfirmForgotPasswordResponse; +import software.amazon.awssdk.services.cognitoidentityprovider.model.ForgotPasswordRequest; +import software.amazon.awssdk.services.cognitoidentityprovider.model.ForgotPasswordResponse; +import software.amazon.awssdk.services.cognitoidentityprovider.model.RespondToAuthChallengeRequest; +import software.amazon.awssdk.services.cognitoidentityprovider.model.RespondToAuthChallengeResponse; + +/** + * Higher level abstraction over {@link CognitoIdentityProviderClient} providing methods for the most common auth + * operations + * + * @author Oleh Onufryk + * @since 3.3.0 + */ + +public class CognitoTemplate implements CognitoAuthOperations { + + private final CognitoIdentityProviderClient cognitoIdentityProviderClient; + private final String clientId; + private final String userPoolId; + private final String clientSecret; + + public CognitoTemplate(CognitoIdentityProviderClient cognitoIdentityProviderClient, String clientId, + String userPoolId, String clientSecret) { + Assert.notNull(cognitoIdentityProviderClient, "cognitoIdentityProviderClient is required"); + Assert.notNull(clientId, "clientId is required"); + Assert.notNull(userPoolId, "userPoolId is required"); + this.cognitoIdentityProviderClient = cognitoIdentityProviderClient; + this.clientId = clientId; + this.userPoolId = userPoolId; + this.clientSecret = clientSecret; + } + + @Override + public AdminInitiateAuthResponse login(String username, String password) { + AdminInitiateAuthRequest adminInitiateAuthRequest = AdminInitiateAuthRequest.builder().userPoolId(userPoolId) + .clientId(clientId).authFlow(AuthFlowType.ADMIN_USER_PASSWORD_AUTH) + .authParameters(resolveAuthParameters(username, password)).build(); + return cognitoIdentityProviderClient.adminInitiateAuth(adminInitiateAuthRequest); + } + + @Override + public AdminCreateUserResponse createUser(String username, List attributeTypes) { + AdminCreateUserRequest createUserRequest = AdminCreateUserRequest.builder().userPoolId(userPoolId) + .username(username).userAttributes(attributeTypes).build(); + return cognitoIdentityProviderClient.adminCreateUser(createUserRequest); + } + + @Override + public ForgotPasswordResponse resetPassword(String username) { + ForgotPasswordRequest forgotPasswordRequest = ForgotPasswordRequest.builder().clientId(clientId) + .username(username).build(); + + return cognitoIdentityProviderClient.forgotPassword(forgotPasswordRequest); + } + + @Override + public ConfirmForgotPasswordResponse confirmResetPassword(String username, String confirmationCode, + String newPassword) { + ConfirmForgotPasswordRequest confirmForgotPasswordRequest = ConfirmForgotPasswordRequest.builder() + .clientId(clientId).username(username).password(newPassword).confirmationCode(confirmationCode) + .secretHash(CognitoUtils.calculateSecretHash(clientId, clientSecret, username)).build(); + return cognitoIdentityProviderClient.confirmForgotPassword(confirmForgotPasswordRequest); + } + + @Override + public RespondToAuthChallengeResponse setPermanentPassword(String session, String username, String password) { + RespondToAuthChallengeRequest respondToAuthChallengeRequest = RespondToAuthChallengeRequest.builder() + .clientId(clientId).challengeName(ChallengeNameType.NEW_PASSWORD_REQUIRED) + .challengeResponses(Map.of(CognitoParameters.USERNAME_PARAM_NAME, username, + CognitoParameters.NEW_PASSWORD_PARAM_NAME, password, CognitoParameters.SECRET_HASH_PARAM_NAME, + CognitoUtils.calculateSecretHash(clientId, clientSecret, username))) + .build(); + return cognitoIdentityProviderClient.respondToAuthChallenge(respondToAuthChallengeRequest); + } + + private Map resolveAuthParameters(String username, String password) { + return Map.of(CognitoParameters.USERNAME_PARAM_NAME, username, CognitoParameters.PASSWORD_PARAM_NAME, password, + CognitoParameters.SECRET_HASH_PARAM_NAME, + CognitoUtils.calculateSecretHash(clientId, clientSecret, username)); + } +} diff --git a/spring-cloud-aws-cognito/src/main/java/io/awspring/cloud/cognito/CognitoUtils.java b/spring-cloud-aws-cognito/src/main/java/io/awspring/cloud/cognito/CognitoUtils.java new file mode 100644 index 000000000..7547c3343 --- /dev/null +++ b/spring-cloud-aws-cognito/src/main/java/io/awspring/cloud/cognito/CognitoUtils.java @@ -0,0 +1,50 @@ +/* + * Copyright 2013-2022 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package io.awspring.cloud.cognito; + +import java.nio.charset.StandardCharsets; +import java.util.Base64; +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; + +/** + * Utility class for Cognito operations. + * + * @author Oleh Onufryk + * @since 3.3.0 + */ +public class CognitoUtils { + + private CognitoUtils() { + } + + // https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash + public static String calculateSecretHash(String userPoolClientId, String userPoolClientSecret, String userName) { + final String HMAC_SHA256_ALGORITHM = "HmacSHA256"; + SecretKeySpec signingKey = new SecretKeySpec(userPoolClientSecret.getBytes(StandardCharsets.UTF_8), + HMAC_SHA256_ALGORITHM); + try { + Mac mac = Mac.getInstance(HMAC_SHA256_ALGORITHM); + mac.init(signingKey); + mac.update(userName.getBytes(StandardCharsets.UTF_8)); + byte[] rawHmac = mac.doFinal(userPoolClientId.getBytes(StandardCharsets.UTF_8)); + return Base64.getEncoder().encodeToString(rawHmac); + } + catch (Exception e) { + throw new RuntimeException("Error while calculating secret hash for " + userName); + } + } +} diff --git a/spring-cloud-aws-cognito/src/main/java/io/awspring/cloud/cognito/package-info.java b/spring-cloud-aws-cognito/src/main/java/io/awspring/cloud/cognito/package-info.java new file mode 100644 index 000000000..01bad4a7c --- /dev/null +++ b/spring-cloud-aws-cognito/src/main/java/io/awspring/cloud/cognito/package-info.java @@ -0,0 +1,22 @@ +/* + * Copyright 2013-2022 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * AWS Cognito integration. + */ +@org.springframework.lang.NonNullApi +@org.springframework.lang.NonNullFields +package io.awspring.cloud.cognito; diff --git a/spring-cloud-aws-dependencies/pom.xml b/spring-cloud-aws-dependencies/pom.xml index e0303d851..69fcbf61a 100644 --- a/spring-cloud-aws-dependencies/pom.xml +++ b/spring-cloud-aws-dependencies/pom.xml @@ -220,6 +220,12 @@ ${project.version} + + io.awspring.cloud + spring-cloud-aws-starter-cognito + ${project.version} + + io.awspring.cloud spring-cloud-aws-test