DefaultStateGenerator->Base64StringKeyGenerator

Rename and move DefaultStateGenerator since it is more generic than just
OAuth.

Fixes gh-4645

crypto/src/main/java/org/springframework/security/crypto/keygen/Base64StringKeyGenerator.java

@@ -0,0 +1,79 @@
+/*
+ * Copyright 2002-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.crypto.keygen;
+
+import java.util.Base64;
+
+/**
+ * A StringKeyGenerator that generates base64-encoded String keys. Delegates to a
+ * {@link BytesKeyGenerator} for the actual key generation.
+ *
+ * @author Joe Grandja
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class Base64StringKeyGenerator implements StringKeyGenerator {
+	private static final int DEFAULT_KEY_LENGTH = 32;
+	private final BytesKeyGenerator keyGenerator;
+	private final Base64.Encoder encoder;
+
+	/**
+	 * Creates an instance with keyLength of 32 bytes and standard Base64 encoding.
+	 */
+	public Base64StringKeyGenerator() {
+		this(DEFAULT_KEY_LENGTH);
+	}
+
+	/**
+	 * Creates an instance with the provided key length in bytes and standard Base64
+	 * encoding.
+	 * @param keyLength the key length in bytes
+	 */
+	public Base64StringKeyGenerator(int keyLength) {
+		this(Base64.getEncoder(), keyLength);
+	}
+
+	/**
+	 * Creates an instance with keyLength of 32 bytes and the provided encoder.
+	 * @param encoder the encoder to use
+	 */
+	public Base64StringKeyGenerator(Base64.Encoder encoder) {
+		this(encoder, DEFAULT_KEY_LENGTH);
+	}
+
+	/**
+	 * Creates an instance with the provided key length and encoder.
+	 * @param encoder the encoder to use
+	 * @param keyLength the key length to use
+	 */
+	public Base64StringKeyGenerator(Base64.Encoder encoder, int keyLength) {
+		if(encoder == null) {
+			throw new IllegalArgumentException("encode cannot be null");
+		}
+		if(keyLength < DEFAULT_KEY_LENGTH) {
+			throw new IllegalArgumentException("keyLength must be greater than or equal to" + DEFAULT_KEY_LENGTH);
+		}
+		this.encoder = encoder;
+		this.keyGenerator = KeyGenerators.secureRandom(keyLength);
+	}
+
+	@Override
+	public String generateKey() {
+		byte[] key = this.keyGenerator.generateKey();
+		byte[] base64EncodedKey = this.encoder.encode(key);
+		return new String(base64EncodedKey);
+	}
+}

crypto/src/test/java/org/springframework/security/crypto/keygen/Base64StringKeyGeneratorTests.java

@@ -0,0 +1,66 @@
+/*
+ * Copyright 2002-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.crypto.keygen;
+
+import org.junit.Test;
+
+import java.util.Base64;
+
+import static org.assertj.core.api.Assertions.*;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class Base64StringKeyGeneratorTests {
+	@Test(expected = IllegalArgumentException.class)
+	public void constructorIntWhenLessThan32ThenIllegalArgumentException() {
+		new Base64StringKeyGenerator(31);
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void constructorEncoderWhenEncoderNullThenThrowsIllegalArgumentException() {
+		Base64.Encoder encoder = null;
+		new Base64StringKeyGenerator(null);
+	}
+
+	@Test
+	public void generateKeyWhenDefaultConstructorThen32Bytes() {
+		String result = new Base64StringKeyGenerator().generateKey();
+		assertThat(Base64.getDecoder().decode(result.getBytes())).hasSize(32);
+	}
+
+	@Test
+	public void generateKeyWhenCustomKeySizeThen32Bytes() {
+		int size = 40;
+		String result = new Base64StringKeyGenerator(size).generateKey();
+		assertThat(Base64.getDecoder().decode(result.getBytes())).hasSize(size);
+	}
+
+	@Test
+	public void generateKeyWhenBase64Then32Bytes() {
+		String result = new Base64StringKeyGenerator(Base64.getUrlEncoder()).generateKey();
+		assertThat(Base64.getUrlDecoder().decode(result.getBytes())).hasSize(32);
+	}
+
+	@Test
+	public void generateKeyWhenBase64AndCustomKeySizeThen32Bytes() {
+		int size = 40;
+		String result = new Base64StringKeyGenerator(Base64.getUrlEncoder(), size).generateKey();
+		assertThat(Base64.getUrlDecoder().decode(result.getBytes())).hasSize(size);
+	}
+}

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/AuthorizationRequestRedirectFilter.java

@@ -16,6 +16,7 @@
 package org.springframework.security.oauth2.client.web;
 
 import org.springframework.http.HttpStatus;
+import org.springframework.security.crypto.keygen.Base64StringKeyGenerator;
 import org.springframework.security.crypto.keygen.StringKeyGenerator;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
@@ -35,6 +36,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.net.URI;
+import java.util.Base64;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -69,7 +71,7 @@ public class AuthorizationRequestRedirectFilter extends OncePerRequestFilter {
 	private final ClientRegistrationRepository clientRegistrationRepository;
 	private AuthorizationRequestUriBuilder authorizationRequestUriBuilder = new DefaultAuthorizationRequestUriBuilder();
 	private final RedirectStrategy authorizationRedirectStrategy = new DefaultRedirectStrategy();
-	private final StringKeyGenerator stateGenerator = new DefaultStateGenerator();
+	private final StringKeyGenerator stateGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder());
 	private AuthorizationRequestRepository authorizationRequestRepository = new HttpSessionAuthorizationRequestRepository();
 
 	public AuthorizationRequestRedirectFilter(ClientRegistrationRepository clientRegistrationRepository) {

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultStateGenerator.java

@@ -1,55 +0,0 @@
-/*
- * Copyright 2012-2017 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.springframework.security.oauth2.client.web;
-
-import org.springframework.security.crypto.keygen.BytesKeyGenerator;
-import org.springframework.security.crypto.keygen.KeyGenerators;
-import org.springframework.security.crypto.keygen.StringKeyGenerator;
-import org.springframework.security.oauth2.core.endpoint.OAuth2Parameter;
-import org.springframework.util.Assert;
-
-import java.util.Base64;
-
-/**
- * The default implementation for generating the {@link OAuth2Parameter#STATE} parameter
- * used in the <i>Authorization Request</i> and correlated in the <i>Authorization Response</i> (or <i>Error Response</i>).
- *
- * <p>
- * <b>NOTE:</b> The value of the <i>state</i> parameter is an opaque <code>String</code>
- * used by the client to prevent cross-site request forgery, as described in
- * <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-10.12">Section 10.12</a> of the specification.
- *
- * @author Joe Grandja
- * @since 5.0
- */
-public class DefaultStateGenerator implements StringKeyGenerator {
-	private static final int DEFAULT_KEY_LENGTH = 32;
-	private final BytesKeyGenerator keyGenerator;
-
-	public DefaultStateGenerator() {
-		this(DEFAULT_KEY_LENGTH);
-	}
-
-	public DefaultStateGenerator(int keyLength) {
-		Assert.isTrue(keyLength >= DEFAULT_KEY_LENGTH, "keyLength must be greater than " + DEFAULT_KEY_LENGTH);
-		this.keyGenerator = KeyGenerators.secureRandom(keyLength);
-	}
-
-	@Override
-	public String generateKey() {
-		return new String(Base64.getUrlEncoder().encode(keyGenerator.generateKey()));
-	}
-}