refactored request object endpoint to avoid urlspace conflict with SECOAUTH

openid-connect-server/src/main/java/org/mitre/openid/connect/web/RequestObjectAuthorizationEndpoint.java

@@ -31,6 +31,7 @@ import org.springframework.security.oauth2.provider.approval.UserApprovalHandler
 import org.springframework.security.oauth2.provider.code.AuthorizationCodeServices;
 import org.springframework.security.oauth2.provider.code.AuthorizationRequestHolder;
 import org.springframework.security.oauth2.provider.endpoint.AbstractEndpoint;
+import org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint;
 import org.springframework.security.oauth2.provider.endpoint.DefaultRedirectResolver;
 import org.springframework.security.oauth2.provider.endpoint.RedirectResolver;
 import org.springframework.stereotype.Controller;
@@ -50,32 +51,14 @@ import com.google.common.base.Splitter;
 import com.google.common.collect.Sets;
 
 @Controller("requestObjectAuthorzationEndpoint")
-@SessionAttributes(types = AuthorizationRequest.class)
+public class RequestObjectAuthorizationEndpoint {
-@RequestMapping(value = "/oauth/authorize")
-public class RequestObjectAuthorizationEndpoint extends AbstractEndpoint implements InitializingBean{
-	
-	// TODO: clean up member variable inheritance
-	
-	@Autowired
-	private TokenGranter tokenGranter;
 	
 	protected final Log logger = LogFactory.getLog(getClass());
 
-	@Autowired(required = false)
-	private RedirectResolver redirectResolver = new DefaultRedirectResolver();
-	
 	@Autowired
-	private ClientDetailsService clientDetailsService;
+	private AuthorizationEndpoint authorizationEndpoint;
 	
-	@Autowired(required = false)
+	@RequestMapping(value = "/oauth/authorize", params = "request")
-	private UserApprovalHandler userApprovalHandler = new DefaultUserApprovalHandler();
-	
-	@Autowired
-	private AuthorizationCodeServices authorizationCodeServices;
-	
-	private String userApprovalPage = "forward:/oauth/confirm_access";
-	
-	@RequestMapping(params = "request")
 	public ModelAndView authorizeRequestObject(Map<String, Object> model, @RequestParam("request") String jwtString, 
 			@RequestParam Map<String, String> parameters, SessionStatus sessionStatus, Principal principal) {
 		
@@ -162,417 +145,8 @@ public class RequestObjectAuthorizationEndpoint extends AbstractEndpoint impleme
 			}
 		}
 
-		AuthorizationRequest authorizationRequest = new AuthorizationRequest(parameters, null, clientId, scopes);
+		// call out to the SECOAUTH endpoint to do the real processing
-
+		return authorizationEndpoint.authorize(model, parameters.get("response_type"), parameters, sessionStatus, principal);
-		if (authorizationRequest.getClientId() == null) {
-			sessionStatus.setComplete();
-			throw new InvalidClientException("A client_id must be supplied.");
-		}
-
-		if (!(principal instanceof Authentication) || !((Authentication) principal).isAuthenticated()) {
-			sessionStatus.setComplete();
-			throw new InsufficientAuthenticationException(
-					"User must be authenticated with Spring Security before authorization can be completed.");
-		}
-
-		if (!authorizationRequest.getResponseTypes().contains("token") && !authorizationRequest.getResponseTypes().contains("code")) {
-			throw new UnsupportedGrantTypeException("Unsupported response types: " + authorizationRequest.getResponseTypes());
-		}
-
-		try {
-
-			authorizationRequest = resolveRedirectUriAndCheckApproval(authorizationRequest, (Authentication) principal);
-			if (authorizationRequest.isApproved()) {
-				if (authorizationRequest.getResponseTypes().contains("token")) {
-					return getImplicitGrantResponse(authorizationRequest);
-				}
-				if (authorizationRequest.getResponseTypes().contains("code")) {
-					return new ModelAndView(getAuthorizationCodeResponse(authorizationRequest,
-							(Authentication) principal));
-				}
-			}
-
-			// Place auth request into the model so that it is stored in the session
-			// for approveOrDeny to use. That way we make sure that auth request comes from the session,
-			// so any auth request parameters passed to approveOrDeny will be ignored and retrieved from the session.
-			model.put("authorizationRequest", authorizationRequest);
-
-			return getUserApprovalPageResponse(model, authorizationRequest);
-
-		}
-		catch (RuntimeException e) {
-			sessionStatus.setComplete();
-			throw e;
-		}	
 	}
 	
-	//
-	// TODO: Remove when possible
-	// COPIED FROM SECOAUTH AuthorizationEndpoint
-	// 
-	
-	@RequestMapping(method = RequestMethod.POST, params = AuthorizationRequest.USER_OAUTH_APPROVAL)
-	public View approveOrDeny(@RequestParam Map<String, String> approvalParameters,
-			@ModelAttribute AuthorizationRequest authorizationRequest, SessionStatus sessionStatus, Principal principal) {
-
-		if (authorizationRequest.getClientId() == null) {
-			sessionStatus.setComplete();
-			throw new InvalidClientException("A client_id must be supplied.");
-		}
-
-		if (!(principal instanceof Authentication)) {
-			sessionStatus.setComplete();
-			throw new InsufficientAuthenticationException(
-					"User must be authenticated with Spring Security before authorizing an access token.");
-		}
-
-		try {
-			Set<String> responseTypes = authorizationRequest.getResponseTypes();
-
-			authorizationRequest = authorizationRequest.addApprovalParameters(approvalParameters);
-			authorizationRequest = resolveRedirectUriAndCheckApproval(authorizationRequest, (Authentication) principal);
-
-			if (!authorizationRequest.isApproved()) {
-				return new RedirectView(getUnsuccessfulRedirect(authorizationRequest,
-						new UserDeniedAuthorizationException("User denied access"), responseTypes.contains("token")),
-						false);
-			}
-
-			if (responseTypes.contains("token")) {
-				return getImplicitGrantResponse(authorizationRequest).getView();
-			}
-
-			return getAuthorizationCodeResponse(authorizationRequest, (Authentication) principal);
-		}
-		finally {
-			sessionStatus.setComplete();
-		}
-
-	}
-	
-	//
-	// TODO: Remove when possible
-	// COPIED FROM SECOAUTH AuthorizationEndpoint
-	// 
-
-	private AuthorizationRequest resolveRedirectUriAndCheckApproval(AuthorizationRequest authorizationRequest, 
-			Authentication authentication) throws OAuth2Exception {
-		
-		String requestedRedirect = redirectResolver.resolveRedirect(authorizationRequest.getRedirectUri(),
-				clientDetailsService.loadClientByClientId(authorizationRequest.getClientId()));
-		authorizationRequest = authorizationRequest.resolveRedirectUri(requestedRedirect);
-
-		boolean approved = authorizationRequest.isApproved();
-		if (!approved) {
-			approved = userApprovalHandler.isApproved(authorizationRequest, authentication);
-			authorizationRequest = authorizationRequest.approved(approved);
-		}
-
-		return authorizationRequest;
-
-	}
-	
-	//
-	// TODO: Remove when possible
-	// COPIED FROM SECOAUTH AuthorizationEndpoint
-	// 
-
-	private ModelAndView getImplicitGrantResponse(AuthorizationRequest authorizationRequest) {
-		
-		try {
-			OAuth2AccessToken accessToken = getTokenGranter().grant("implicit",
-					authorizationRequest.getAuthorizationParameters(), authorizationRequest.getClientId(),
-					authorizationRequest.getScope());
-			if (accessToken == null) {
-				throw new UnsupportedGrantTypeException("Unsupported grant type: implicit");
-			}
-			return new ModelAndView(new RedirectView(appendAccessToken(authorizationRequest, accessToken), false));
-		}
-		catch (OAuth2Exception e) {
-			return new ModelAndView(new RedirectView(getUnsuccessfulRedirect(authorizationRequest, e, true), false));
-		}
-	}
-	
-	//
-	// TODO: Remove when possible
-	// COPIED FROM SECOAUTH AuthorizationEndpoint
-	// 
-
-	private String appendAccessToken(AuthorizationRequest authorizationRequest, OAuth2AccessToken accessToken) {
-		
-		String requestedRedirect = authorizationRequest.getRedirectUri();
-		if (accessToken == null) {
-			throw new InvalidGrantException("An implicit grant could not be made");
-		}
-		StringBuilder url = new StringBuilder(requestedRedirect);
-		if (requestedRedirect.contains("#")) {
-			url.append("&");
-		}
-		else {
-			url.append("#");
-		}
-		url.append("access_token=" + accessToken.getValue());
-		url.append("&token_type=" + accessToken.getTokenType());
-		String state = authorizationRequest.getState();
-		if (state != null) {
-			url.append("&state=" + state);
-		}
-		Date expiration = accessToken.getExpiration();
-		if (expiration != null) {
-			long expires_in = (expiration.getTime() - System.currentTimeMillis()) / 1000;
-			url.append("&expires_in=" + expires_in);
-		}
-		Map<String, Object> additionalInformation = accessToken.getAdditionalInformation();
-		for (String key : additionalInformation.keySet()) {
-			Object value = additionalInformation.get(key);
-			if (value != null && ClassUtils.isPrimitiveOrWrapper(value.getClass())) {
-				url.append("&" + key + "=" + value);
-			}
-		}
-		// Do not include the refresh token (even if there is one)
-		return url.toString();
-	}
-	
-	//
-	// TODO: Remove when possible
-	// COPIED FROM SECOAUTH AuthorizationEndpoint
-	// 
-
-	private View getAuthorizationCodeResponse(AuthorizationRequest authorizationRequest, Authentication authUser) {
-		try {
-			return new RedirectView(getSuccessfulRedirect(authorizationRequest,
-					generateCode(authorizationRequest, authUser)), false);
-		}
-		catch (OAuth2Exception e) {
-			return new RedirectView(getUnsuccessfulRedirect(authorizationRequest, e, false), false);
-		}
-	}
-	
-	//
-	// TODO: Remove when possible
-	// COPIED FROM SECOAUTH AuthorizationEndpoint
-	// 
-
-	private String generateCode(AuthorizationRequest authorizationRequest, Authentication authentication)
-			throws AuthenticationException {
-
-		try {
-
-			AuthorizationRequestHolder combinedAuth = new AuthorizationRequestHolder(authorizationRequest,
-					authentication);
-			String code = authorizationCodeServices.createAuthorizationCode(combinedAuth);
-
-			return code;
-
-		}
-		catch (OAuth2Exception e) {
-
-			if (authorizationRequest.getState() != null) {
-				e.addAdditionalInformation("state", authorizationRequest.getState());
-			}
-
-			throw e;
-
-		}
-	}
-	
-	//
-	// TODO: Remove when possible
-	// COPIED FROM SECOAUTH AuthorizationEndpoint
-	// 
-
-	private String getUnsuccessfulRedirect(AuthorizationRequest authorizationRequest, OAuth2Exception failure,
-			boolean fragment) {
-
-		// TODO: allow custom failure handling?
-		if (authorizationRequest == null || authorizationRequest.getRedirectUri() == null) {
-			// we have no redirect for the user. very sad.
-			throw new UnapprovedClientAuthenticationException("Authorization failure, and no redirect URI.", failure);
-		}
-
-		String redirectUri = authorizationRequest.getRedirectUri();
-
-		// extract existing fragments if any
-		String[] fragments = redirectUri.split("#");
-
-		StringBuilder url = new StringBuilder(fragment ? redirectUri : fragments[0]);
-
-		char separator = fragment ? '#' : '?';
-		if (redirectUri.indexOf(separator) < 0) {
-			url.append(separator);
-		}
-		else {
-			url.append('&');
-		}
-		url.append("error=").append(failure.getOAuth2ErrorCode());
-		try {
-
-			url.append("&error_description=").append(URLEncoder.encode(failure.getMessage(), "UTF-8"));
-
-			if (authorizationRequest.getState() != null) {
-				url.append('&').append("state=").append(authorizationRequest.getState());
-			}
-
-			if (failure.getAdditionalInformation() != null) {
-				for (Map.Entry<String, String> additionalInfo : failure.getAdditionalInformation().entrySet()) {
-					url.append('&').append(additionalInfo.getKey()).append('=')
-							.append(URLEncoder.encode(additionalInfo.getValue(), "UTF-8"));
-				}
-			}
-
-		}
-		catch (UnsupportedEncodingException e) {
-			throw new IllegalStateException(e);
-		}
-
-		if (!fragment && fragments.length > 1) {
-			url.append("#" + fragments[1]);
-		}
-
-		return url.toString();
-
-	}
-	
-	//
-	// TODO: Remove when possible
-	// COPIED FROM SECOAUTH AuthorizationEndpoint
-	// 
-
-	private ModelAndView getUserApprovalPageResponse(Map<String, Object> model,
-			AuthorizationRequest authorizationRequest) {
-		logger.debug("Loading user approval page: " + userApprovalPage);
-		// In case of a redirect we might want the request parameters to be included
-		model.putAll(authorizationRequest.getAuthorizationParameters());
-		return new ModelAndView(userApprovalPage, model);
-	}
-	
-	//
-	// TODO: Remove when possible
-	// COPIED FROM SECOAUTH AuthorizationEndpoint
-	// 
-
-	private String getSuccessfulRedirect(AuthorizationRequest authorizationRequest, String authorizationCode) {
-
-		if (authorizationCode == null) {
-			throw new IllegalStateException("No authorization code found in the current request scope.");
-		}
-
-		String requestedRedirect = authorizationRequest.getRedirectUri();
-		String[] fragments = requestedRedirect.split("#");
-		String state = authorizationRequest.getState();
-
-		StringBuilder url = new StringBuilder(fragments[0]);
-		if (requestedRedirect.indexOf('?') < 0) {
-			url.append('?');
-		}
-		else {
-			url.append('&');
-		}
-		url.append("code=").append(authorizationCode);
-
-		if (state != null) {
-			url.append("&state=").append(state);
-		}
-
-		if (fragments.length > 1) {
-			url.append("#" + fragments[1]);
-		}
-
-		return url.toString();
-	}
-	
-	//
-	// TODO: Remove when possible
-	// COPIED FROM SECOAUTH AbstractEndpoint
-	// 
-	@Override
-	public void afterPropertiesSet() throws Exception {
-		Assert.state(tokenGranter != null, "TokenGranter must be provided");
-		
-	}
-
-	/**
-	 * @return the tokenGranter
-	 */
-	public TokenGranter getTokenGranter() {
-		return tokenGranter;
-	}
-
-	/**
-	 * @param tokenGranter the tokenGranter to set
-	 */
-	public void setTokenGranter(TokenGranter tokenGranter) {
-		this.tokenGranter = tokenGranter;
-	}
-
-	/**
-	 * @return the redirectResolver
-	 */
-	public RedirectResolver getRedirectResolver() {
-		return redirectResolver;
-	}
-
-	/**
-	 * @param redirectResolver the redirectResolver to set
-	 */
-	public void setRedirectResolver(RedirectResolver redirectResolver) {
-		this.redirectResolver = redirectResolver;
-	}
-
-	/**
-	 * @return the clientDetailsService
-	 */
-	public ClientDetailsService getClientDetailsService() {
-		return clientDetailsService;
-	}
-
-	/**
-	 * @param clientDetailsService the clientDetailsService to set
-	 */
-	public void setClientDetailsService(ClientDetailsService clientDetailsService) {
-		this.clientDetailsService = clientDetailsService;
-	}
-
-	/**
-	 * @return the userApprovalHandler
-	 */
-	public UserApprovalHandler getUserApprovalHandler() {
-		return userApprovalHandler;
-	}
-
-	/**
-	 * @param userApprovalHandler the userApprovalHandler to set
-	 */
-	public void setUserApprovalHandler(UserApprovalHandler userApprovalHandler) {
-		this.userApprovalHandler = userApprovalHandler;
-	}
-
-	/**
-	 * @return the authorizationCodeServices
-	 */
-	public AuthorizationCodeServices getAuthorizationCodeServices() {
-		return authorizationCodeServices;
-	}
-
-	/**
-	 * @param authorizationCodeServices the authorizationCodeServices to set
-	 */
-	public void setAuthorizationCodeServices(
-			AuthorizationCodeServices authorizationCodeServices) {
-		this.authorizationCodeServices = authorizationCodeServices;
-	}
-
-	/**
-	 * @return the userApprovalPage
-	 */
-	public String getUserApprovalPage() {
-		return userApprovalPage;
-	}
-
-	/**
-	 * @param userApprovalPage the userApprovalPage to set
-	 */
-	public void setUserApprovalPage(String userApprovalPage) {
-		this.userApprovalPage = userApprovalPage;
-	}
 }