Merge pull request #1347 from couchbase/feature/issue_1338

pasin · web-flow · commit b86198de1d39 · 2016-07-11T14:19:01.000-07:00
Fixed #1338 - OpenID tokens in the key store should be per-database
diff --git a/src/main/java/com/couchbase/lite/Manager.java b/src/main/java/com/couchbase/lite/Manager.java
@@ -628,6 +628,22 @@ public Replication getReplicator(Map<String, Object> properties) throws Couchbas
             remoteMap = sourceMap;
         }
 
+        // Can't specify both a filter and doc IDs
+        if (properties.get("filter") != null && properties.get("doc_ids") != null)
+            throw new CouchbaseLiteException("Can't specify both a filter and doc IDs",
+                    new Status(Status.BAD_REQUEST));
+
+        try {
+            remote = new URL(remoteStr);
+        } catch (MalformedURLException e) {
+            throw new CouchbaseLiteException("malformed remote url: " + remoteStr,
+                    new Status(Status.BAD_REQUEST));
+        }
+        if (remote == null) {
+            throw new CouchbaseLiteException("remote URL is null: " + remoteStr,
+                    new Status(Status.BAD_REQUEST));
+        }
+
         Map<String, Object> authMap = (Map<String, Object>) remoteMap.get("auth");
         if (authMap != null) {
 
@@ -641,23 +657,11 @@ public Replication getReplicator(Map<String, Object> properties) throws Couchbas
                 String email = (String) facebook.get("email");
                 authorizer = new FacebookAuthorizer(email);
             }
+            authorizer.setRemoteURL(remote);
+            authorizer.setLocalUUID(db.publicUUID());
         }
 
-        // Can't specify both a filter and doc IDs
-        if (properties.get("filter") != null && properties.get("doc_ids") != null)
-            throw new CouchbaseLiteException("Can't specify both a filter and doc IDs",
-                    new Status(Status.BAD_REQUEST));
 
-        try {
-            remote = new URL(remoteStr);
-        } catch (MalformedURLException e) {
-            throw new CouchbaseLiteException("malformed remote url: " + remoteStr,
-                    new Status(Status.BAD_REQUEST));
-        }
-        if (remote == null) {
-            throw new CouchbaseLiteException("remote URL is null: " + remoteStr,
-                    new Status(Status.BAD_REQUEST));
-        }
 
         if (!cancel) {
             repl = db.getReplicator(remote, getDefaultHttpClientFactory(), push, continuous);
diff --git a/src/main/java/com/couchbase/lite/auth/Authorizer.java b/src/main/java/com/couchbase/lite/auth/Authorizer.java
@@ -27,6 +27,13 @@ public interface Authorizer extends Authenticator {
 
     void setRemoteURL(URL remoteURL);
 
+    /**
+     * The unique ID of the local database. The replicator sets this property when it starts up.
+     */
+    String getLocalUUID();
+
+    void setLocalUUID(String localUUID);
+
     boolean removeStoredCredentials();
 
     // @optional
diff --git a/src/main/java/com/couchbase/lite/auth/BaseAuthorizer.java b/src/main/java/com/couchbase/lite/auth/BaseAuthorizer.java
@@ -22,7 +22,8 @@ public abstract class BaseAuthorizer implements Authorizer {
     ////////////////////////////////////////////////////////////
     // Member variables
     ////////////////////////////////////////////////////////////
-    protected URL remoteURL;
+    private URL remoteURL;
+    private String localUUID;
 
     ////////////////////////////////////////////////////////////
     // Implementations of Authorizer
@@ -43,6 +44,16 @@ public boolean removeStoredCredentials() {
         return true;
     }
 
+    @Override
+    public String getLocalUUID() {
+        return localUUID;
+    }
+
+    @Override
+    public void setLocalUUID(String localUUID) {
+        this.localUUID = localUUID;
+    }
+
     @Override
     public String getUsername() {
         // @optional
diff --git a/src/main/java/com/couchbase/lite/auth/FacebookAuthorizer.java b/src/main/java/com/couchbase/lite/auth/FacebookAuthorizer.java
@@ -101,7 +101,7 @@ public static boolean registerToken(String token, String email, URL site) {
     private String token() {
         List<String> key = new ArrayList<String>();
         key.add(email);
-        key.add(remoteURL.toExternalForm().toLowerCase());
+        key.add(getRemoteURL().toExternalForm().toLowerCase());
         Log.v(TAG, "FacebookAuthorizer looking up key: %s from list of access tokens", key);
         return sRegisteredTokens.get(key);
     }
diff --git a/src/main/java/com/couchbase/lite/auth/MemTokenStore.java b/src/main/java/com/couchbase/lite/auth/MemTokenStore.java
@@ -25,44 +25,47 @@ public class MemTokenStore implements TokenStore {
     private Map<String, Map<String, String>> store = new HashMap<String, Map<String, String>>();
 
     @Override
-    public Map<String, String> loadTokens(URL remoteURL) throws Exception {
-        if(remoteURL == null)
+    public Map<String, String> loadTokens(URL remoteURL, String localUUID) throws Exception {
+        if (remoteURL == null)
             return null;
-        String key = getKey(remoteURL);
+        String key = getKey(remoteURL, localUUID);
         if (!store.containsKey(key))
             return null;
         return store.get(key);
     }
 
     @Override
-    public boolean saveTokens(URL remoteURL, Map<String, String> tokens) {
-        if(tokens == null)
-            return deleteTokens(remoteURL);
+    public boolean saveTokens(URL remoteURL, String localUUID, Map<String, String> tokens) {
+        if (tokens == null)
+            return deleteTokens(remoteURL, localUUID);
 
-        if(remoteURL == null)
+        if (remoteURL == null)
             return false;
 
-        String key = getKey(remoteURL);
+        String key = getKey(remoteURL, localUUID);
         store.put(key, tokens);
         return true;
     }
 
     @Override
-    public boolean deleteTokens(URL remoteURL) {
-        if(remoteURL == null)
+    public boolean deleteTokens(URL remoteURL, String localUUID) {
+        if (remoteURL == null)
             return false;
-        String key = getKey(remoteURL);
+        String key = getKey(remoteURL, localUUID);
         if (!store.containsKey(key))
             return false;
         store.remove(key);
         return true;
     }
 
-    /*package*/  String getKey(URL remoteURL) {
-        if(remoteURL == null)
+    /*package*/  String getKey(URL remoteURL, String localUUID) {
+        if (remoteURL == null)
             throw new IllegalArgumentException("remoteURL is null");
-        String account = remoteURL.toExternalForm();
+        String service = remoteURL.toExternalForm();
         String label = String.format(Locale.ENGLISH, "%s OpenID Connect tokens", remoteURL.getHost());
-        return String.format(Locale.ENGLISH, "%s%s", label, account);
+        if (localUUID == null)
+            return String.format(Locale.ENGLISH, "%s%s", label, service);
+        else
+            return String.format(Locale.ENGLISH, "%s%s%s", label, service, localUUID);
     }
 }
diff --git a/src/main/java/com/couchbase/lite/auth/OpenIDConnectAuthorizer.java b/src/main/java/com/couchbase/lite/auth/OpenIDConnectAuthorizer.java
@@ -66,7 +66,7 @@ public OpenIDConnectAuthorizer(OIDCLoginCallback callback, TokenStore tokenStore
     ////////////////////////////////////////////////////////////
     @Override
     public String toString() {
-        return String.format(Locale.ENGLISH, "OpenIDConnectAuthorizer[%s]", remoteURL);
+        return String.format(Locale.ENGLISH, "OpenIDConnectAuthorizer[%s]", getRemoteURL());
     }
 
     ////////////////////////////////////////////////////////////
@@ -120,7 +120,7 @@ public void loginResponse(Object jsonResponse,
                               Throwable error,
                               ContinuationBlock block) {
         if (error != null && (!(error instanceof RemoteRequestResponseException) ||
-                              ((RemoteRequestResponseException) error).getCode() != 401)) {
+                ((RemoteRequestResponseException) error).getCode() != 401)) {
             block.call(false, error);
             return;
         }
@@ -195,7 +195,7 @@ public boolean implementedLoginResponse() {
 
     @Override
     public boolean removeStoredCredentials() {
-        if(!deleteTokens())
+        if (!deleteTokens())
             return false;
         IDToken = null;
         refreshToken = null;
@@ -248,6 +248,8 @@ public void setRefreshToken(String refreshToken) {
     public static boolean forgetIDTokensForServer(URL serverURL, TokenStore tokenStore) {
         OpenIDConnectAuthorizer authorizer = new OpenIDConnectAuthorizer(null, tokenStore);
         authorizer.setRemoteURL(serverURL);
+        // Deliberately don't set auth.localUUID. This will leave kSecAttrAccount unset in the
+        // dictionary passed to SecItemDelete, deleting keychain items for all accounts (databases).
         return authorizer.deleteTokens();
     }
 
@@ -260,7 +262,7 @@ public static boolean forgetIDTokensForServer(URL serverURL, TokenStore tokenSto
             return false;
 
         try {
-            return parseTokens(tokenStore.loadTokens(remoteURL));
+            return parseTokens(tokenStore.loadTokens(getRemoteURL(), getLocalUUID()));
         } catch (Exception e) {
             Log.w(TAG, "Error in loadTokens()", e);
             return false;
@@ -270,13 +272,13 @@ public static boolean forgetIDTokensForServer(URL serverURL, TokenStore tokenSto
     /*package*/  boolean saveTokens(Map<String, String> tokens) {
         if (tokenStore == null)
             return false;
-        return tokenStore.saveTokens(remoteURL, tokens);
+        return tokenStore.saveTokens(getRemoteURL(), getLocalUUID(), tokens);
     }
 
     /*package*/  boolean deleteTokens() {
         if (tokenStore == null)
             return false;
-        return tokenStore.deleteTokens(remoteURL);
+        return tokenStore.deleteTokens(getRemoteURL(), getLocalUUID());
     }
 
     private boolean parseTokens(Map<String, String> tokens) {
@@ -301,7 +303,7 @@ private boolean parseTokens(Map<String, String> tokens) {
 
     private void continueAsyncLoginWithURL(URL loginURL, final ContinuationBlock block) {
         Log.v(TAG, "OpenIDConnectAuthorizer: Calling app login callback block...");
-        final URL remoteURL = this.remoteURL;
+        final URL remoteURL = this.getRemoteURL();
         final URL redirectBaseURL = extractRedirectURL(loginURL);
         if (loginCallback != null)
             loginCallback.callback(loginURL, redirectBaseURL, new OIDCLoginContinuation() {
@@ -312,8 +314,8 @@ public void callback(URL url, Throwable error) {
                                 "<%s>", url.toExternalForm());
                         // Verify that the authURL matches the site:
                         if (remoteURL == null ||
-                            url.getHost().compareToIgnoreCase(remoteURL.getHost()) != 0 ||
-                            url.getPort() != remoteURL.getPort()) {
+                                url.getHost().compareToIgnoreCase(remoteURL.getHost()) != 0 ||
+                                url.getPort() != remoteURL.getPort()) {
                             Log.w(TAG, "OpenIDConnectAuthorizer: App-provided authURL <%s> " +
                                     "doesn't match server URL; ignoring it", url.toExternalForm());
                             url = null;
diff --git a/src/main/java/com/couchbase/lite/auth/PersonaAuthorizer.java b/src/main/java/com/couchbase/lite/auth/PersonaAuthorizer.java
@@ -147,9 +147,9 @@ public static String assertionForEmailAndSite(String email, URL site) {
     ////////////////////////////////////////////////////////////
 
     /*package*/ String assertion() {
-        String assertion = assertionForEmailAndSite(email, remoteURL);
+        String assertion = assertionForEmailAndSite(email, getRemoteURL());
         if (assertion == null) {
-            Log.w(TAG, "PersonaAuthorizer<%s> no assertion found for: %s", email, remoteURL);
+            Log.w(TAG, "PersonaAuthorizer<%s> no assertion found for: %s", email, getRemoteURL());
             return null;
         }
         Map<String, Object> result = parseAssertion(assertion);
diff --git a/src/main/java/com/couchbase/lite/auth/TokenStore.java b/src/main/java/com/couchbase/lite/auth/TokenStore.java
@@ -23,20 +23,20 @@ public interface TokenStore {
      *
      * @return tokens
      */
-    Map<String, String> loadTokens(URL remoteURL) throws Exception;
+    Map<String, String> loadTokens(URL remoteURL, String localUUID) throws Exception;
 
     /**
      * Save tokens into the token store
      *
      * @param tokens to be saved
      * @return true - success, false - failure
      */
-    boolean saveTokens(URL remoteURL, Map<String, String> tokens);
+    boolean saveTokens(URL remoteURL, String localUUID, Map<String, String> tokens);
 
     /**
      * Delete tokens from the token store
      *
      * @return true - success, false - failure
      */
-    boolean deleteTokens(URL remoteURL);
+    boolean deleteTokens(URL remoteURL, String localUUID);
 }
diff --git a/src/main/java/com/couchbase/lite/replicator/ReplicationInternal.java b/src/main/java/com/couchbase/lite/replicator/ReplicationInternal.java
@@ -335,7 +335,9 @@ protected void close() {
 
     protected void initAuthorizer() {
         if (authenticator != null && authenticator instanceof Authorizer) {
-            ((Authorizer) authenticator).setRemoteURL(remote);
+            Authorizer authorizer = (Authorizer)authenticator;
+            authorizer.setRemoteURL(remote);
+            authorizer.setLocalUUID(db.publicUUID());
         }
     }
 
@@ -430,7 +432,8 @@ public Thread newThread(Runnable r) {
     protected void checkSession() {
         if (getAuthenticator() != null) {
             Authorizer auth = (Authorizer) getAuthenticator();
-            auth.setRemoteURL(this.remote);
+            auth.setRemoteURL(remote);
+            auth.setLocalUUID(db.publicUUID());
         }
         if (getAuthenticator() != null && getAuthenticator() instanceof SessionCookieAuthorizer) {
             // Sync Gateway session API is at /db/_session; try that first

Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,7 @@ public static boolean registerToken(String token, String email, URL site) {`
`101`	`101`	`private String token() {`
`102`	`102`	`List<String> key = new ArrayList<String>();`
`103`	`103`	`key.add(email);`
`104`		`- key.add(remoteURL.toExternalForm().toLowerCase());`
	`104`	`+ key.add(getRemoteURL().toExternalForm().toLowerCase());`
`105`	`105`	`Log.v(TAG, "FacebookAuthorizer looking up key: %s from list of access tokens", key);`
`106`	`106`	`return sRegisteredTokens.get(key);`
`107`	`107`	`}`
Original file line number	Diff line number	Diff line change
`@@ -23,20 +23,20 @@ public interface TokenStore {`
`23`	`23`	`*`
`24`	`24`	`* @return tokens`
`25`	`25`	`*/`
`26`		`- Map<String, String> loadTokens(URL remoteURL) throws Exception;`
	`26`	`+ Map<String, String> loadTokens(URL remoteURL, String localUUID) throws Exception;`
`27`	`27`
`28`	`28`	`/**`
`29`	`29`	`* Save tokens into the token store`
`30`	`30`	`*`
`31`	`31`	`* @param tokens to be saved`
`32`	`32`	`* @return true - success, false - failure`
`33`	`33`	`*/`
`34`		`- boolean saveTokens(URL remoteURL, Map<String, String> tokens);`
	`34`	`+ boolean saveTokens(URL remoteURL, String localUUID, Map<String, String> tokens);`
`35`	`35`
`36`	`36`	`/**`
`37`	`37`	`* Delete tokens from the token store`
`38`	`38`	`*`
`39`	`39`	`* @return true - success, false - failure`
`40`	`40`	`*/`
`41`		`- boolean deleteTokens(URL remoteURL);`
	`41`	`+ boolean deleteTokens(URL remoteURL, String localUUID);`
`42`	`42`	`}`
Original file line number	Diff line number	Diff line change
`@@ -335,7 +335,9 @@ protected void close() {`
`335`	`335`
`336`	`336`	`protected void initAuthorizer() {`
`337`	`337`	`if (authenticator != null && authenticator instanceof Authorizer) {`
`338`		`- ((Authorizer) authenticator).setRemoteURL(remote);`
	`338`	`+ Authorizer authorizer = (Authorizer)authenticator;`
	`339`	`+ authorizer.setRemoteURL(remote);`
	`340`	`+ authorizer.setLocalUUID(db.publicUUID());`
`339`	`341`	`}`
`340`	`342`	`}`
`341`	`343`
`@@ -430,7 +432,8 @@ public Thread newThread(Runnable r) {`
`430`	`432`	`protected void checkSession() {`
`431`	`433`	`if (getAuthenticator() != null) {`
`432`	`434`	`Authorizer auth = (Authorizer) getAuthenticator();`
`433`		`- auth.setRemoteURL(this.remote);`
	`435`	`+ auth.setRemoteURL(remote);`
	`436`	`+ auth.setLocalUUID(db.publicUUID());`
`434`	`437`	`}`
`435`	`438`	`if (getAuthenticator() != null && getAuthenticator() instanceof SessionCookieAuthorizer) {`
`436`	`439`	`// Sync Gateway session API is at /db/_session; try that first`