CAUSEWAY-3939: Viewmodel Bookmark Overhaul

Author: andi-huber

api/applib/src/main/java/org/apache/causeway/applib/ViewModel.java

@@ -27,10 +27,10 @@
 
 /**
  * Indicates that an object belongs to the UI/application layer and is intended to be used as a view-model.
- * <p>
- * Instances of {@link ViewModel} must include (at least) one public constructor.
- * <p>
- * Contract:
+ *
+ * <p> Instances of {@link ViewModel} must include (at least) one public constructor.
+ *
+ * <p> Contract:
  * <ul>
  * <li>there is either exactly one public constructor or if there are more than one,
  * then only one of these is annotated with any of {@code @Inject} or {@code @Autowired(required=true)}
@@ -44,8 +44,8 @@
  * Naturally this also allows for the idiom of passing in the {@link ServiceInjector} as an argument
  * and programmatically resolve any field-style injection points via {@link ServiceInjector#injectServicesInto(Object)},
  * that is, if already required during <i>construction</i>.
- * <p>
- * After a view-model got new-ed up by the framework (or programmatically via the {@link FactoryService}),
+ *
+ * <p> After a view-model got new-ed up by the framework (or programmatically via the {@link FactoryService}),
  * {@link ServiceInjector#injectServicesInto(Object)} is called on the viewmodel instance,
  * regardless of what happened during <i>construction</i>.
  *
@@ -55,13 +55,12 @@ public interface ViewModel {
 
     /**
      * Obtain a memento of the view-model. (Optional)
-     * <p>
-     * Captures the state of this view-model as {@link String},
+     *
+     * <p> Captures the state of this view-model as {@link String},
      * which can be passed in to this view-model's constructor for later re-construction.
-     * <p>
-     * The framework automatically takes care of non-URL-safe strings,
-     * by passing them through {@link java.net.URLEncoder}/
-     * {@link java.net.URLDecoder} for encoding and decoding respectively.
+     *
+     * <p> The framework automatically takes care of non-URL-safe strings, null and the empty String.
+     * Those view-model mementos are also digitally signed, before the are handed out to clients.
      */
     @Programmatic
     String viewModelMemento();

api/applib/src/main/java/org/apache/causeway/applib/exceptions/unrecoverable/BookmarkNotFoundException.java

@@ -25,12 +25,8 @@
  * Indicates that a bookmark cannot be found.
  *
  * @since 2.1, 3.1 {@index}
- *
  */
 public class BookmarkNotFoundException extends UnrecoverableException {
-    /**
-     *
-     */
     private static final long serialVersionUID = 1L;
 
     public BookmarkNotFoundException(final String msg) {

api/applib/src/main/java/org/apache/causeway/applib/exceptions/unrecoverable/DigitalVerificationException.java

@@ -0,0 +1,57 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ */
+package org.apache.causeway.applib.exceptions.unrecoverable;
+
+import org.apache.causeway.applib.exceptions.UnrecoverableException;
+import org.apache.causeway.applib.services.i18n.TranslatableString;
+
+/**
+ * Indicates that a digital verification failed.
+ *
+ * <p>E.g. could be an invalid (or no longer valid) bookmark.
+ *
+ * @since 3.5 {@index}
+ *
+ */
+public class DigitalVerificationException extends UnrecoverableException {
+    private static final long serialVersionUID = 1L;
+
+    public DigitalVerificationException(final String msg) {
+        super(msg);
+    }
+
+    public DigitalVerificationException(final TranslatableString translatableMessage,
+            final Class<?> translationContextClass, final String translationContextMethod) {
+        super(translatableMessage, translationContextClass, translationContextMethod);
+    }
+
+    public DigitalVerificationException(final Throwable cause) {
+        super(cause);
+    }
+
+    public DigitalVerificationException(final String msg, final Throwable cause) {
+        super(msg, cause);
+    }
+
+    public DigitalVerificationException(final TranslatableString translatableMessage,
+            final Class<?> translationContextClass, final String translationContextMethod, final Throwable cause) {
+        super(translatableMessage, translationContextClass, translationContextMethod, cause);
+    }
+
+}

api/applib/src/main/java/org/apache/causeway/applib/layout/grid/bootstrap/BSUtil.java

@@ -21,6 +21,8 @@
 import java.util.Optional;
 import java.util.concurrent.atomic.AtomicBoolean;
 
+import org.springframework.util.SerializationUtils;
+
 import org.apache.causeway.applib.layout.component.ActionLayoutData;
 import org.apache.causeway.applib.layout.component.ActionLayoutDataOwner;
 import org.apache.causeway.applib.layout.component.CollectionLayoutData;
@@ -30,9 +32,6 @@
 import org.apache.causeway.applib.layout.component.FieldSet;
 import org.apache.causeway.applib.layout.component.PropertyLayoutData;
 import org.apache.causeway.applib.layout.grid.bootstrap.BSElement.BSElementVisitor;
-import org.apache.causeway.commons.internal.base._Casts;
-import org.apache.causeway.commons.internal.resources._Serializables;
-
 import lombok.experimental.UtilityClass;
 
 @UtilityClass
@@ -76,9 +75,7 @@ public void visit(final CollectionLayoutData collectionLayoutData) {
      * Creates a deep copy of given original grid.
      */
     public BSGrid deepCopy(final BSGrid orig) {
-        var bytes = _Serializables.write(orig);
-        return _Casts.uncheckedCast(
-                _Serializables.read(BSGrid.class, bytes));
+        return SerializationUtils.clone(orig);
     }
 
     public BSGrid resolveOwners(final BSGrid grid) {

api/applib/src/main/java/org/apache/causeway/applib/services/bookmark/HmacAuthority.java

@@ -0,0 +1,123 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ */
+package org.apache.causeway.applib.services.bookmark;
+
+import java.security.SecureRandom;
+import java.util.Arrays;
+import java.util.Objects;
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+
+import org.jspecify.annotations.Nullable;
+
+import lombok.SneakyThrows;
+
+/**
+ * Can be registered with Spring, to override the built in default, which has an application scoped random secret.
+ *
+ * <pre>
+ * {@code @Configuration}
+ * class EnableHmacAuthority {
+ *     {@code @Bean}
+ *     public HmacAuthority hmacAuthority() {
+ *         return HmacAuthority.HmacSHA256.randomInstance();
+ *     }
+ * }
+ * </pre>
+ *
+ * <p>Used to generate the bookmark of view models so that they are not susceptible to forgery or de-serialization attacks.
+ * (Bookmarks of entities are not susceptible).
+ * Note though, that the bookmarks' validity is bound to the (server-side) secret key of the {@link HmacAuthority}.
+ * Once the secret changes, bookmarks that are stored client-side for later use, will be rendered invalid.
+ *
+ * @apiNote the default bean is auto-configured with 'CausewayModuleCoreRuntimeServices.HmacAuthorityAutoconfigure'
+ *
+ * @since 3.5
+ */
+public interface HmacAuthority {
+
+    /**
+     * HMAC as byte array, for given input data.
+     */
+    byte[] generateHmac(byte[] data);
+
+    /**
+     * Verifies that given dataToVerify when passed to {@link #generateHmac(byte[])} yields given hmacToVerify.
+     *
+     * <p>If any of the arguments is null returns false.
+     *
+     * <p>If hmacToVerify does not conform with {@link #isValidHmacLength(int)} returns false.
+     */
+    default boolean verifyHmac(final @Nullable byte[] data, final @Nullable byte[] hmacToVerify) {
+        if(data == null || hmacToVerify == null) return false; // invalid by definition
+        if(!isValidHmacLength(hmacToVerify.length)) return false; // shortcut
+        return Arrays.equals(generateHmac(data), hmacToVerify);
+    }
+
+    /**
+     * Whether HMAC length in bytes is expected/valid.
+     */
+    boolean isValidHmacLength(int hmacLength);
+
+    // -- IMPL
+
+    record HmacSHA256(
+        SecretKeySpec secretKey) implements HmacAuthority {
+
+        private final static String ALGORITHM = "HmacSHA256";
+
+        public HmacSHA256(final byte[] secret) {
+            this(new SecretKeySpec(secret, ALGORITHM));
+        }
+
+        @SneakyThrows
+        public static HmacSHA256 randomInstance() {
+            var secret = new byte[32]; // double the minimum requirement of 16
+            SecureRandom.getInstanceStrong().nextBytes(secret);
+            return new HmacSHA256(secret);
+        }
+
+        @Override
+        public byte[] generateHmac(final byte[] data) {
+            Objects.requireNonNull(data);
+            var mac = newMac();
+            return mac.doFinal(data);
+        }
+
+        @Override
+        public boolean isValidHmacLength(final int hmacLength) {
+            return 32 == hmacLength;
+        }
+
+        // -- HELPER
+
+        @SneakyThrows
+        private Mac newMac() {
+            var mac = Mac.getInstance(ALGORITHM);
+            mac.init(secretKey);
+            return mac;
+        }
+    }
+
+    // JUNIT SUPPORT
+
+    static HmacAuthority forTesting() {
+        return new HmacSHA256("secret for testing only".getBytes());
+    }
+}

api/applib/src/main/java/org/apache/causeway/applib/services/urlencoding/UrlEncodingService.java

@@ -22,39 +22,32 @@
 
 import org.apache.causeway.commons.internal.base._Bytes;
 import org.apache.causeway.commons.internal.base._Strings;
-import org.apache.causeway.commons.internal.memento._Mementos.EncoderDecoder;
 
 /**
  * Defines a consistent way to convert strings to/from a form safe for use
  * within a URL.
  *
- * <p>
- *     The service is used by the framework to map mementos (derived from the
- *     state of the view model itself) into a form that can be used as a view
- *     model. When the framework needs to recreate the view model (for example
- *     to invoke an action on it), this URL is converted back into a view model
- *     memento, from which the view model can be hydrated.
- * </p>
+ * <p>The service is used by the framework to map mementos (derived from the
+ * state of the view model itself) into a form that can be used as a view
+ * model. When the framework needs to recreate the view model (for example
+ * to invoke an action on it), this URL is converted back into a view model
+ * memento, from which the view model can be hydrated.
  *
  * @since 1.x {@index}
  */
-public interface UrlEncodingService extends EncoderDecoder {
+public interface UrlEncodingService {
 
     /**
-     * Converts the string (eg view model memento) into a string safe for use
+     * Converts given data bytes (eg view model memento) into a string safe for use
      * within an URL
      */
-    @Override
     String encode(final byte[] bytes);
 
     /**
-     * Unconverts the string from its URL form into its original form URL.
+     * Converts the plain URL safe string back to its original data bytes.
      *
-     * <p>
-     *     Reciprocal of {@link #encode(byte[])}.
-     * </p>
+     * <p>Inverse of {@link #encode(byte[])}.
      */
-    @Override
     byte[] decode(String str);
 
     default String encodeString(final String str) {
@@ -101,7 +94,6 @@ public byte[] decode(final String str) {
                 return _Bytes.ofUrlBase64.apply(_Strings.toBytes(str, StandardCharsets.UTF_8));
             }
         };
-
     }
 
 }

api/applib/src/main/java/org/apache/causeway/applib/value/semantics/Converter.java

@@ -18,8 +18,6 @@
  */
 package org.apache.causeway.applib.value.semantics;
 
-import org.apache.causeway.commons.internal.memento._Mementos.EncoderDecoder;
-
 /**
  * Provides forth and back conversion between 2 types.
  *
@@ -28,7 +26,6 @@
  *
  * @see DefaultsProvider
  * @see Parser
- * @see EncoderDecoder
  * @see ValueSemanticsProvider
  *
  * @since 2.x {@index}

api/applib/src/main/java/org/apache/causeway/applib/value/semantics/DefaultsProvider.java

@@ -18,8 +18,6 @@
  */
 package org.apache.causeway.applib.value.semantics;
 
-import org.apache.causeway.commons.internal.memento._Mementos.EncoderDecoder;
-
 /**
  * Provides a mechanism for providing a default value for an object.
  *
@@ -40,7 +38,6 @@
  * the object reflectively.
  *
  * @see Parser
- * @see EncoderDecoder
  * @see ValueSemanticsProvider
  *
  * @since 1.x {@index}

api/applib/src/main/java/org/apache/causeway/applib/value/semantics/OrderRelation.java

@@ -18,8 +18,6 @@
  */
 package org.apache.causeway.applib.value.semantics;
 
-import org.apache.causeway.commons.internal.memento._Mementos.EncoderDecoder;
-
 /**
  * Provides an ordering relation for a given value-type.
  * <p>
@@ -36,7 +34,6 @@
  *
  * @see DefaultsProvider
  * @see Parser
- * @see EncoderDecoder
  * @see ValueSemanticsProvider
  *
  * @since 2.x {@index}

commons/src/main/java/module-info.java

@@ -50,7 +50,6 @@
     exports org.apache.causeway.commons.internal.html;
     exports org.apache.causeway.commons.internal.image;
     exports org.apache.causeway.commons.internal.ioc;
-    exports org.apache.causeway.commons.internal.memento;
     exports org.apache.causeway.commons.internal.os;
     exports org.apache.causeway.commons.internal.primitives;
     exports org.apache.causeway.commons.internal.proxy;