Cleanup completed, this works for the most part. TODO: need to make an upstream change in order to inject a new set of scopes into the AuthorizationRequest.
Amanda Anganes
parent
5fb67ab7bb
commit
32dc92119f
|
|
@ -0,0 +1,172 @@
|
||||||
|
/*******************************************************************************
|
||||||
|
* Copyright 2012 The MITRE Corporation
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
******************************************************************************/
|
||||||
|
package org.mitre.openid.connect.token;
|
||||||
|
|
||||||
|
import java.util.Date;
|
||||||
|
import java.util.Map;
|
||||||
|
import java.util.Set;
|
||||||
|
|
||||||
|
import org.mitre.openid.connect.model.ApprovedSite;
|
||||||
|
import org.mitre.openid.connect.model.WhitelistedSite;
|
||||||
|
import org.mitre.openid.connect.service.ApprovedSiteService;
|
||||||
|
import org.mitre.openid.connect.service.WhitelistedSiteService;
|
||||||
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
import org.springframework.security.core.Authentication;
|
||||||
|
import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
|
||||||
|
import org.springframework.security.oauth2.provider.AuthorizationRequest;
|
||||||
|
import org.springframework.security.oauth2.provider.ClientDetails;
|
||||||
|
import org.springframework.security.oauth2.provider.ClientDetailsService;
|
||||||
|
import org.springframework.security.oauth2.provider.approval.UserApprovalHandler;
|
||||||
|
|
||||||
|
import com.google.common.base.Splitter;
|
||||||
|
import com.google.common.collect.Sets;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Custom User Approval Handler implementation which uses a concept of a whitelist,
|
||||||
|
* blacklist, and greylist.
|
||||||
|
*
|
||||||
|
* Blacklisted sites will be caught and handled before this
|
||||||
|
* point.
|
||||||
|
*
|
||||||
|
* Whitelisted sites will be automatically approved, and an ApprovedSite entry will
|
||||||
|
* be created for the site the first time a given user access it.
|
||||||
|
*
|
||||||
|
* All other sites fall into the greylist - the user will be presented with the user
|
||||||
|
* approval page upon their first visit
|
||||||
|
* @author aanganes
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
public class TofuUserApprovalHandler implements UserApprovalHandler {
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
ApprovedSiteService approvedSiteService;
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
WhitelistedSiteService whitelistedSiteService;
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
ClientDetailsService clientDetailsService;
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check if the user has already stored a positive approval decision for this site; or if the
|
||||||
|
* site is whitelisted, approve it automatically.
|
||||||
|
*
|
||||||
|
* Otherwise, return false so that the user will see the approval page and can make their own decision.
|
||||||
|
*
|
||||||
|
* @param authorizationRequest the incoming authorization request
|
||||||
|
* @param userAuthentication the Principal representing the currently-logged-in user
|
||||||
|
*
|
||||||
|
* @return true if the site is approved, false otherwise
|
||||||
|
*/
|
||||||
|
@Override
|
||||||
|
public boolean isApproved(AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
|
||||||
|
|
||||||
|
//First, check database to see if the user identified by the userAuthentication has stored an approval decision
|
||||||
|
|
||||||
|
//getName may not be filled in? TODO: investigate
|
||||||
|
String userId = userAuthentication.getName();
|
||||||
|
String clientId = authorizationRequest.getClientId();
|
||||||
|
ClientDetails client = clientDetailsService.loadClientByClientId(clientId);
|
||||||
|
|
||||||
|
String scopes = authorizationRequest.getAuthorizationParameters().get("scope");
|
||||||
|
Set<String> authRequestScopes = Sets.newHashSet(Splitter.on(" ").split(scopes));
|
||||||
|
|
||||||
|
//lookup ApprovedSites by userId and clientId
|
||||||
|
ApprovedSite ap = approvedSiteService.getByClientIdAndUserId(clientId, userId);
|
||||||
|
|
||||||
|
if (ap != null) {
|
||||||
|
if (scopesMatch(authRequestScopes, ap.getAllowedScopes())) {
|
||||||
|
|
||||||
|
//We have a match; update the access date on the AP entry and return true.
|
||||||
|
ap.setAccessDate(new Date());
|
||||||
|
approvedSiteService.save(ap);
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
WhitelistedSite ws = whitelistedSiteService.getByClientId(clientId);
|
||||||
|
if (ws != null && scopesMatch(authRequestScopes, ws.getAllowedScopes())) {
|
||||||
|
|
||||||
|
//Create an approved site
|
||||||
|
approvedSiteService.createApprovedSite(clientId, userId, null, ws.getAllowedScopes(), ws);
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
boolean approved = Boolean.parseBoolean(authorizationRequest.getApprovalParameters().get("user_oauth_approval"));
|
||||||
|
|
||||||
|
if (approved && !authorizationRequest.getApprovalParameters().isEmpty()) {
|
||||||
|
|
||||||
|
//Only store an ApprovedSite if the user has checked "remember this decision":
|
||||||
|
if (authorizationRequest.getApprovalParameters().get("remember") != null) {
|
||||||
|
|
||||||
|
//TODO: Remember may eventually have an option to remember for a specific amount
|
||||||
|
//of time; this would set the ApprovedSite.timeout.
|
||||||
|
|
||||||
|
Set<String> allowedScopes = Sets.newHashSet();
|
||||||
|
Map<String,String> approvalParams = authorizationRequest.getApprovalParameters();
|
||||||
|
|
||||||
|
Set<String> keys = approvalParams.keySet();
|
||||||
|
|
||||||
|
for (String key : keys) {
|
||||||
|
if (key.contains("scope")) {
|
||||||
|
//This is a scope parameter from the approval page. The value sent back should
|
||||||
|
//be the scope string. Check to make sure it is contained in the client's
|
||||||
|
//registered allowed scopes.
|
||||||
|
|
||||||
|
String scope = approvalParams.get(key);
|
||||||
|
|
||||||
|
//Make sure this scope is allowed for the given client
|
||||||
|
if (client.getScope().contains(scope)) {
|
||||||
|
allowedScopes.add(scope);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
//FIXME: inject the final allowedScopes set into the AuthorizationRequest. The requester may have
|
||||||
|
//asked for many scopes and the user may have denied some of them.
|
||||||
|
|
||||||
|
approvedSiteService.createApprovedSite(clientId, userId, null, allowedScopes, null);
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check whether the requested scope set is a proper subset of the allowed scopes.
|
||||||
|
*
|
||||||
|
* @param requestedScopes
|
||||||
|
* @param allowedScopes
|
||||||
|
* @return
|
||||||
|
*/
|
||||||
|
private boolean scopesMatch(Set<String> requestedScopes, Set<String> allowedScopes) {
|
||||||
|
|
||||||
|
for (String scope : requestedScopes) {
|
||||||
|
|
||||||
|
if (!allowedScopes.contains(scope)) {
|
||||||
|
throw new InvalidScopeException("Invalid scope: " + scope, allowedScopes);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
Loading…
Reference in New Issue