From f232183679016f5f1900a89fb3bf91e65d332184 Mon Sep 17 00:00:00 2001
From: usbharu <64310155+usbharu@users.noreply.github.com>
Date: Tue, 21 Nov 2023 12:38:41 +0900
Subject: [PATCH] =?UTF-8?q?fix:=20OAuth2=E8=AA=8D=E8=A8=BC=E3=81=AB?=
 =?UTF-8?q?=E5=A4=B1=E6=95=97=E3=81=99=E3=82=8B=E3=82=88=E3=81=86=E3=81=AB?=
 =?UTF-8?q?=E3=81=AA=E3=81=A3=E3=81=A6=E3=81=84=E3=82=8B=E3=81=AE=E3=82=92?=
 =?UTF-8?q?=E4=BF=AE=E6=AD=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../application/config/SecurityConfig.kt      | 43 ++++++++++++-------
 .../mastodon/service/app/AppApiService.kt     |  3 +-
 src/main/resources/application.yml            |  2 +-
 src/main/resources/logback.xml                |  4 +-
 4 files changed, 33 insertions(+), 19 deletions(-)

diff --git a/src/main/kotlin/dev/usbharu/hideout/application/config/SecurityConfig.kt b/src/main/kotlin/dev/usbharu/hideout/application/config/SecurityConfig.kt
index a5762bb1..13d73219 100644
--- a/src/main/kotlin/dev/usbharu/hideout/application/config/SecurityConfig.kt
+++ b/src/main/kotlin/dev/usbharu/hideout/application/config/SecurityConfig.kt
@@ -11,6 +11,7 @@ import dev.usbharu.hideout.core.infrastructure.springframework.httpsignature.Htt
 import dev.usbharu.hideout.core.infrastructure.springframework.httpsignature.HttpSignatureUserDetailsService
 import dev.usbharu.hideout.core.infrastructure.springframework.httpsignature.HttpSignatureVerifierComposite
 import dev.usbharu.hideout.core.infrastructure.springframework.oauth2.UserDetailsImpl
+import dev.usbharu.hideout.core.infrastructure.springframework.oauth2.UserDetailsServiceImpl
 import dev.usbharu.hideout.core.query.UserQueryService
 import dev.usbharu.hideout.util.RsaUtil
 import dev.usbharu.httpsignature.sign.RsaSha256HttpSignatureSigner
@@ -31,6 +32,7 @@ import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter
 import org.springframework.security.authentication.AccountStatusUserDetailsChecker
 import org.springframework.security.authentication.AuthenticationManager
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider
 import org.springframework.security.config.Customizer
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
@@ -59,7 +61,7 @@ import java.security.interfaces.RSAPrivateKey
 import java.security.interfaces.RSAPublicKey
 import java.util.*
 
-@EnableWebSecurity(debug = false)
+@EnableWebSecurity(debug = true)
 @Configuration
 @Suppress("FunctionMaxLength", "TooManyFunctions")
 class SecurityConfig {
@@ -75,13 +77,12 @@ class SecurityConfig {
     @Order(1)
     fun httpSignatureFilterChain(
         http: HttpSecurity,
-        httpSignatureFilter: HttpSignatureFilter,
         introspector: HandlerMappingIntrospector
     ): SecurityFilterChain {
         val builder = MvcRequestMatcher.Builder(introspector)
         http
             .securityMatcher("/inbox", "/outbox", "/users/*/inbox", "/users/*/outbox", "/users/*/posts/*")
-            .addFilter(httpSignatureFilter)
+            .addFilter(getHttpSignatureFilter(http.getSharedObject(AuthenticationManager::class.java)))
             .addFilterBefore(
                 ExceptionTranslationFilter(HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)),
                 HttpSignatureFilter::class.java
@@ -108,12 +109,11 @@ class SecurityConfig {
             .sessionManagement {
                 it.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
             }
-
         return http.build()
     }
 
-    @Bean
-    fun getHttpSignatureFilter(authenticationManager: AuthenticationManager): HttpSignatureFilter {
+
+    fun getHttpSignatureFilter(authenticationManager: AuthenticationManager?): HttpSignatureFilter {
         val httpSignatureFilter = HttpSignatureFilter(DefaultSignatureHeaderParser())
         httpSignatureFilter.setAuthenticationManager(authenticationManager)
         httpSignatureFilter.setContinueFilterChainOnUnsuccessfulAuthentication(false)
@@ -124,6 +124,13 @@ class SecurityConfig {
         return httpSignatureFilter
     }
 
+    @Bean
+    fun daoAuthenticationProvider(userDetailsServiceImpl: UserDetailsServiceImpl): DaoAuthenticationProvider {
+        val daoAuthenticationProvider = DaoAuthenticationProvider()
+        daoAuthenticationProvider.setUserDetailsService(userDetailsServiceImpl)
+        return daoAuthenticationProvider
+    }
+
     @Bean
     fun httpSignatureAuthenticationProvider(transaction: Transaction): PreAuthenticatedAuthenticationProvider {
         val provider = PreAuthenticatedAuthenticationProvider()
@@ -187,16 +194,22 @@ class SecurityConfig {
         }
         http.oauth2ResourceServer {
             it.jwt(Customizer.withDefaults())
-        }.passwordManagement { }.formLogin(Customizer.withDefaults()).csrf {
-            it.ignoringRequestMatchers(builder.pattern("/users/*/inbox"))
-            it.ignoringRequestMatchers(builder.pattern(HttpMethod.POST, "/api/v1/apps"))
-            it.ignoringRequestMatchers(builder.pattern("/inbox"))
-            it.ignoringRequestMatchers(PathRequest.toH2Console())
-        }.headers {
-            it.frameOptions {
-                it.sameOrigin()
-            }
         }
+            .passwordManagement { }
+            .formLogin {
+
+            }
+            .csrf {
+                it.ignoringRequestMatchers(builder.pattern("/users/*/inbox"))
+                it.ignoringRequestMatchers(builder.pattern(HttpMethod.POST, "/api/v1/apps"))
+                it.ignoringRequestMatchers(builder.pattern("/inbox"))
+                it.ignoringRequestMatchers(PathRequest.toH2Console())
+            }
+            .headers {
+                it.frameOptions {
+                    it.sameOrigin()
+                }
+            }
         return http.build()
     }
 
diff --git a/src/main/kotlin/dev/usbharu/hideout/mastodon/service/app/AppApiService.kt b/src/main/kotlin/dev/usbharu/hideout/mastodon/service/app/AppApiService.kt
index 6d7d463e..d2306123 100644
--- a/src/main/kotlin/dev/usbharu/hideout/mastodon/service/app/AppApiService.kt
+++ b/src/main/kotlin/dev/usbharu/hideout/mastodon/service/app/AppApiService.kt
@@ -60,7 +60,8 @@ class AppApiServiceImpl(
                 "invalid-vapid-key",
                 appsRequest.website,
                 id,
-                clientSecret
+                clientSecret,
+                appsRequest.redirectUris
             )
         }
     }
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index 2d0a6c82..32d326d7 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -19,7 +19,7 @@ spring:
     default-property-inclusion: always
   datasource:
     driver-class-name: org.h2.Driver
-    url: "jdbc:h2:./test-dev4;MODE=POSTGRESQL;TRACE_LEVEL_FILE=4"
+    url: "jdbc:h2:./test-dev4;MODE=POSTGRESQL"
     username: ""
     password: ""
   #  data:
diff --git a/src/main/resources/logback.xml b/src/main/resources/logback.xml
index 5e4e2bc3..1f2e9e02 100644
--- a/src/main/resources/logback.xml
+++ b/src/main/resources/logback.xml
@@ -4,7 +4,7 @@
             <pattern>%d{YYYY-MM-dd HH:mm:ss.SSS} [%thread] %-5level [%X{x-request-id}] %logger{36} - %msg%n</pattern>
         </encoder>
     </appender>
-    <root level="INFO">
+    <root level="TRACE">
         <appender-ref ref="STDOUT"/>
     </root>
     <logger name="org.eclipse.jetty" level="INFO"/>
@@ -12,7 +12,7 @@
     <logger name="kjob.core.internal.scheduler.JobServiceImpl" level="INFO"/>
     <logger name="Exposed" level="INFO"/>
     <logger name="io.ktor.server.plugins.contentnegotiation" level="INFO"/>
-    <logger name="org.springframework.web.filter.CommonsRequestLoggingFilter" level="INFO"/>
+    <logger name="org.springframework.web.filter.CommonsRequestLoggingFilter" level="DEBUG"/>
     <logger name="org.mongodb.driver.protocol.command" level="INFO"/>
     <logger name="dev.usbharu" level="TRACE"/>
 </configuration>