Updated code to reflect SECOAUTH changes

2013-07-12 16:21:05 -04:00 · 2013-07-12 16:21:05 -04:00 · 3e23967b46
parent ab0548fe0e
commit 3e23967b46
11 changed files with 51 additions and 45 deletions
--- a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java
+++ b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java
@ -13,7 +13,7 @@ import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.common.util.OAuth2Utils;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
-import org.springframework.security.oauth2.provider.StoredOAuth2Request;
+import org.springframework.security.oauth2.provider.OAuth2Request;
 import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.util.LinkedMultiValueMap;
@ -80,7 +80,7 @@ public class IntrospectingTokenService implements ResourceServerTokenServices {
        return null;
    }
    
-    private StoredOAuth2Request createStoredRequest(final JsonObject token) {
+    private OAuth2Request createStoredRequest(final JsonObject token) {
    	clientId = token.get("client_id").getAsString();
        Set<String> scopes = new HashSet<String>();
        for (JsonElement e : token.get("scope").getAsJsonArray()) {
@ -89,7 +89,7 @@ public class IntrospectingTokenService implements ResourceServerTokenServices {
        Map<String, String> parameters = new HashMap<String, String>();
        parameters.put("client_id", clientId);
        parameters.put("scope", OAuth2Utils.formatParameterList(scopes));
-        StoredOAuth2Request storedRequest = new StoredOAuth2Request(parameters, clientId, null, true, scopes, null, null, null);
+        OAuth2Request storedRequest = new OAuth2Request(parameters, clientId, null, true, scopes, null, null, null);
        return storedRequest;
    	
    }
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
@ -43,7 +43,7 @@ import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
 import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
-import org.springframework.security.oauth2.provider.StoredOAuth2Request;
+import org.springframework.security.oauth2.provider.OAuth2Request;
 import org.springframework.security.oauth2.provider.TokenRequest;
 import org.springframework.security.oauth2.provider.token.TokenEnhancer;
 import org.springframework.stereotype.Service;
@ -79,9 +79,9 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 	
 	@Override
    public OAuth2AccessTokenEntity createAccessToken(OAuth2Authentication authentication) throws AuthenticationException, InvalidClientException {
-		if (authentication != null && authentication.getStoredRequest() != null) {
+		if (authentication != null && authentication.getOAuth2Request() != null) {
 			// look up our client
-			StoredOAuth2Request clientAuth = authentication.getStoredRequest();
+			OAuth2Request clientAuth = authentication.getOAuth2Request();
 			
 			ClientDetailsEntity client = clientDetailsService.loadClientByClientId(clientAuth.getClientId());
 		
@ -152,11 +152,11 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 		    tokenRepository.saveAccessToken(token);
 		    
 	    	//Add approved site reference, if any
-		    StoredOAuth2Request originalAuthRequest = authHolder.getAuthentication().getStoredRequest();
+		    OAuth2Request originalAuthRequest = authHolder.getAuthentication().getOAuth2Request();
 			
-	    	if (originalAuthRequest.getExtensionProperties() != null && originalAuthRequest.getExtensionProperties().containsKey("approved_site")) {
+	    	if (originalAuthRequest.getExtensions() != null && originalAuthRequest.getExtensions().containsKey("approved_site")) {
 				
-				Long apId = (Long) originalAuthRequest.getExtensionProperties().get("approved_site");
+				Long apId = (Long) originalAuthRequest.getExtensions().get("approved_site");
 				ApprovedSite ap = approvedSiteService.getById(apId);
 				Set<OAuth2AccessTokenEntity> apTokens = ap.getApprovedAccessTokens();
 				apTokens.add(token);
@ -208,7 +208,7 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 		OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity(); 

 		// get the stored scopes from the authentication holder's authorization request; these are the scopes associated with the refresh token
-		Set<String> refreshScopes = new HashSet<String>(refreshToken.getAuthenticationHolder().getAuthentication().getStoredRequest().getScope());
+		Set<String> refreshScopes = new HashSet<String>(refreshToken.getAuthenticationHolder().getAuthentication().getOAuth2Request().getScope());
 		
 		Set<String> scope = new HashSet<String>(authRequest.getScope());
 		if (scope != null && !scope.isEmpty()) { 
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/token/ChainedTokenGranter.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/token/ChainedTokenGranter.java
@ -6,7 +6,6 @@ package org.mitre.oauth2.token;
 import java.util.HashSet;
 import java.util.Set;

-import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
 import org.mitre.oauth2.service.ClientDetailsEntityService;
 import org.mitre.oauth2.service.OAuth2TokenEntityService;
@ -14,6 +13,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
 import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
+import org.springframework.security.oauth2.provider.ClientDetails;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
 import org.springframework.security.oauth2.provider.TokenRequest;
@ -51,7 +51,7 @@ public class ChainedTokenGranter extends AbstractTokenGranter {
     * @see org.springframework.security.oauth2.provider.token.AbstractTokenGranter#getOAuth2Authentication(org.springframework.security.oauth2.provider.AuthorizationRequest)
     */
    @Override
-    protected OAuth2Authentication getOAuth2Authentication(TokenRequest tokenRequest) throws AuthenticationException, InvalidTokenException {
+    protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) throws AuthenticationException, InvalidTokenException {
    	// read and load up the existing token
 	    String incomingTokenValue = tokenRequest.getRequestParameters().get("token");
 	    OAuth2AccessTokenEntity incomingToken = tokenServices.readAccessToken(incomingTokenValue);
@ -65,8 +65,6 @@ public class ChainedTokenGranter extends AbstractTokenGranter {
 	    }
 	    
 	    // do a check on the requested scopes -- if they exactly match the client scopes, they were probably shadowed by the token granter
-	    // FIXME: bug in SECOAUTH functionality
-	    ClientDetailsEntity client = incomingToken.getClient();
 	    if (client.getScope().equals(requestedScopes)) {
 	    	requestedScopes = new HashSet<String>();
 	    }
@ -86,7 +84,7 @@ public class ChainedTokenGranter extends AbstractTokenGranter {
 		    // NOTE: don't revoke the existing access token

 	    	// create a new access token
-	    	OAuth2Authentication authentication = new OAuth2Authentication(getRequestFactory().createStoredOAuth2Request(tokenRequest), incomingToken.getAuthenticationHolder().getAuthentication().getUserAuthentication()); 
+	    	OAuth2Authentication authentication = new OAuth2Authentication(getRequestFactory().createOAuth2Request(client, tokenRequest), incomingToken.getAuthenticationHolder().getAuthentication().getUserAuthentication()); 
 	    	
 	    	return authentication;
 	    	
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java
@ -17,6 +17,7 @@ import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
 import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
+import org.springframework.security.oauth2.provider.ClientDetails;
 import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
 import org.springframework.security.oauth2.provider.TokenRequest;
 import org.springframework.security.oauth2.provider.token.AbstractTokenGranter;
@ -56,14 +57,11 @@ public class JwtAssertionTokenGranter extends AbstractTokenGranter {
     * @see org.springframework.security.oauth2.provider.token.AbstractTokenGranter#getOAuth2Authentication(org.springframework.security.oauth2.provider.AuthorizationRequest)
     */
    @Override
-    protected OAuth2AccessToken getAccessToken(TokenRequest tokenRequest) throws AuthenticationException, InvalidTokenException {
+    protected OAuth2AccessToken getAccessToken(ClientDetails client, TokenRequest tokenRequest) throws AuthenticationException, InvalidTokenException {
    	// read and load up the existing token
 	    String incomingTokenValue = tokenRequest.getRequestParameters().get("assertion");
 	    OAuth2AccessTokenEntity incomingToken = tokenServices.readAccessToken(incomingTokenValue);
 	    
-	    ClientDetailsEntity client = incomingToken.getClient();
-
-	    
 	    if (incomingToken.getScope().contains(OAuth2AccessTokenEntity.ID_TOKEN_SCOPE)) {
 		    
 	    	if (!client.getClientId().equals(tokenRequest.getClientId())) {
@ -88,12 +86,21 @@ public class JwtAssertionTokenGranter extends AbstractTokenGranter {
 		    		// copy over all existing claims
 		    		JWTClaimsSet claims = new JWTClaimsSet(idToken.getJWTClaimsSet());
 	
-		    		// update expiration and issued-at claims
-					if (client.getIdTokenValiditySeconds() != null) {
-						Date expiration = new Date(System.currentTimeMillis() + (client.getIdTokenValiditySeconds() * 1000L));
-						claims.setExpirationTime(expiration);
-						newIdTokenEntity.setExpiration(expiration);
-					}
+		    		if (client instanceof ClientDetailsEntity) {
+		    		
+		    			ClientDetailsEntity clientEntity = (ClientDetailsEntity) client;
+		    			
+			    		// update expiration and issued-at claims
+						if (clientEntity.getIdTokenValiditySeconds() != null) {
+							Date expiration = new Date(System.currentTimeMillis() + (clientEntity.getIdTokenValiditySeconds() * 1000L));
+							claims.setExpirationTime(expiration);
+							newIdTokenEntity.setExpiration(expiration);
+						}
+					
+		    		} else {
+		    			//TODO: What should happen in this case? Is this possible?
+		    		}
+					
 					claims.setIssueTime(new Date());
 	
 					
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/view/TokenIntrospectionView.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/view/TokenIntrospectionView.java
@ -101,7 +101,7 @@ public class TokenIntrospectionView extends AbstractView {
            	
            	token.addProperty("subject", src.getAuthenticationHolder().getAuthentication().getName());
            	
-            	token.addProperty("client_id", src.getAuthenticationHolder().getAuthentication().getStoredRequest().getClientId());
+            	token.addProperty("client_id", src.getAuthenticationHolder().getAuthentication().getOAuth2Request().getClientId());
            	
            	return token;
            }
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/web/RevocationEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/web/RevocationEndpoint.java
@ -28,7 +28,7 @@ import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
-import org.springframework.security.oauth2.provider.StoredOAuth2Request;
+import org.springframework.security.oauth2.provider.OAuth2Request;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
@ -86,7 +86,7 @@ public class RevocationEndpoint {
 			
 			// we've got a client acting on its own behalf, not an admin
 			//ClientAuthentication clientAuth = (ClientAuthenticationToken) ((OAuth2Authentication) auth).getClientAuthentication();
-			StoredOAuth2Request clientAuth = ((OAuth2Authentication) principal).getStoredRequest();
+			OAuth2Request clientAuth = ((OAuth2Authentication) principal).getOAuth2Request();

 			if (refreshToken != null) {
 				if (!refreshToken.getClient().getClientId().equals(clientAuth.getClientId())) {
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java
@ -37,10 +37,10 @@ public class ConnectOAuth2RequestFactory extends DefaultOAuth2RequestFactory {

 	private static Logger logger = LoggerFactory.getLogger(ConnectOAuth2RequestFactory.class);
 	
-	@Autowired
+	//@Autowired
 	private NonceService nonceService;
 	
-	@Autowired
+	//@Autowired
 	private ClientDetailsEntityService clientDetailsService;

 	@Autowired
@ -52,6 +52,7 @@ public class ConnectOAuth2RequestFactory extends DefaultOAuth2RequestFactory {
 	 * @param clientDetailsService
 	 * @param nonceService
 	 */
+	@Autowired
 	public ConnectOAuth2RequestFactory(ClientDetailsEntityService clientDetailsService, NonceService nonceService) {
 		super(clientDetailsService);
 		this.clientDetailsService = clientDetailsService;
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
@ -30,7 +30,7 @@ import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
-import org.springframework.security.oauth2.provider.StoredOAuth2Request;
+import org.springframework.security.oauth2.provider.OAuth2Request;
 import org.springframework.security.oauth2.provider.token.TokenEnhancer;
 import org.springframework.stereotype.Service;

@ -62,7 +62,7 @@ public class ConnectTokenEnhancer implements TokenEnhancer {
 	public OAuth2AccessToken enhance(OAuth2AccessToken accessToken,	OAuth2Authentication authentication) {
 		
 		OAuth2AccessTokenEntity token = (OAuth2AccessTokenEntity) accessToken;
-		StoredOAuth2Request originalAuthRequest = authentication.getStoredRequest();
+		OAuth2Request originalAuthRequest = authentication.getOAuth2Request();
 		
 		String clientId = originalAuthRequest.getClientId();
 		ClientDetailsEntity client = clientService.loadClientByClientId(clientId);
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java
@ -117,7 +117,7 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 					ap.setAccessDate(new Date());
 					approvedSiteService.save(ap);
 	
-					authorizationRequest.getExtensionProperties().put("approved_site", ap.getId());
+					authorizationRequest.getExtensions().put("approved_site", ap.getId());
 					authorizationRequest.setApproved(true);					
 					alreadyApproved = true;
 				}
@ -130,7 +130,7 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 				
 				//Create an approved site
 				ApprovedSite newSite = approvedSiteService.createApprovedSite(clientId, userId, null, ws.getAllowedScopes(), ws);	
-				authorizationRequest.getExtensionProperties().put("approved_site", newSite.getId());
+				authorizationRequest.getExtensions().put("approved_site", newSite.getId());
 				authorizationRequest.setApproved(true);
 			}
 		}
@ -192,7 +192,7 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 				}
 				
 				ApprovedSite newSite = approvedSiteService.createApprovedSite(clientId, userId, timeout, allowedScopes, null);
-				authorizationRequest.getExtensionProperties().put("approved_site", newSite.getId());
+				authorizationRequest.getExtensions().put("approved_site", newSite.getId());
 			}
 			
 		}
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java
@ -26,8 +26,8 @@ import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.OAuth2Request;
 import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
-import org.springframework.security.oauth2.provider.StoredOAuth2Request;
 import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
@ -173,7 +173,7 @@ public class ClientDynamicRegistrationEndpoint {
 		
 		ClientDetailsEntity client = clientService.loadClientByClientId(clientId);
 		
-		if (client != null && client.getClientId().equals(auth.getStoredRequest().getClientId())) {
+		if (client != null && client.getClientId().equals(auth.getOAuth2Request().getClientId())) {

 			
 			// we return the token that we got in
@ -189,7 +189,7 @@ public class ClientDynamicRegistrationEndpoint {
 		} else {
 			// client mismatch
 			logger.error("readClientConfiguration failed, client ID mismatch: " 
-					+ clientId + " and " + auth.getStoredRequest().getClientId() + " do not match.");
+					+ clientId + " and " + auth.getOAuth2Request().getClientId() + " do not match.");
 			m.addAttribute("code", HttpStatus.FORBIDDEN); // http 403
 			
 			return "httpCodeView";
@ -213,7 +213,7 @@ public class ClientDynamicRegistrationEndpoint {
 		ClientDetailsEntity oldClient = clientService.loadClientByClientId(clientId);
 		
 		if (newClient != null && oldClient != null  // we have an existing client and the new one parsed
-				&& oldClient.getClientId().equals(auth.getStoredRequest().getClientId()) // the client passed in the URI matches the one in the auth
+				&& oldClient.getClientId().equals(auth.getOAuth2Request().getClientId()) // the client passed in the URI matches the one in the auth
 				&& oldClient.getClientId().equals(newClient.getClientId()) // the client passed in the body matches the one in the URI
 				) {

@ -260,7 +260,7 @@ public class ClientDynamicRegistrationEndpoint {
 		} else {
 			// client mismatch
 			logger.error("readClientConfiguration failed, client ID mismatch: " 
-					+ clientId + " and " + auth.getStoredRequest().getClientId() + " do not match.");
+					+ clientId + " and " + auth.getOAuth2Request().getClientId() + " do not match.");
 			m.addAttribute("code", HttpStatus.FORBIDDEN); // http 403
 			
 			return "httpCodeView";
@ -280,7 +280,7 @@ public class ClientDynamicRegistrationEndpoint {
 		
 		ClientDetailsEntity client = clientService.loadClientByClientId(clientId);
 		
-		if (client != null && client.getClientId().equals(auth.getStoredRequest().getClientId())) {
+		if (client != null && client.getClientId().equals(auth.getOAuth2Request().getClientId())) {

 			clientService.deleteClient(client);
 			
@ -297,7 +297,7 @@ public class ClientDynamicRegistrationEndpoint {
 		} else {
 			// client mismatch
 			logger.error("readClientConfiguration failed, client ID mismatch: " 
-					+ clientId + " and " + auth.getStoredRequest().getClientId() + " do not match.");
+					+ clientId + " and " + auth.getOAuth2Request().getClientId() + " do not match.");
 			m.addAttribute("code", HttpStatus.FORBIDDEN); // http 403
 			
 			return "httpCodeView";
@ -470,7 +470,7 @@ public class ClientDynamicRegistrationEndpoint {
    	Map<String, String> authorizationParameters = Maps.newHashMap();
    	authorizationParameters.put("client_id", client.getClientId());
    	authorizationParameters.put("scope", OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE);
-    	StoredOAuth2Request storedRequest = new StoredOAuth2Request(authorizationParameters, client.getClientId(), 
+    	OAuth2Request storedRequest = new OAuth2Request(authorizationParameters, client.getClientId(), 
    			Sets.newHashSet(new SimpleGrantedAuthority("ROLE_CLIENT")), true, 
    			Sets.newHashSet(OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE), null, null, null);
 		OAuth2Authentication authentication = new OAuth2Authentication(storedRequest, null);
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/UserInfoEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/UserInfoEndpoint.java
@ -98,8 +98,8 @@ public class UserInfoEndpoint {
 		if (p instanceof OAuth2Authentication) {
 	        OAuth2Authentication authentication = (OAuth2Authentication)p;
 	        
-	        model.addAttribute("scope", authentication.getStoredRequest().getScope());
-	        model.addAttribute("requestObject", authentication.getStoredRequest().getRequestParameters().get("request"));
+	        model.addAttribute("scope", authentication.getOAuth2Request().getScope());
+	        model.addAttribute("requestObject", authentication.getOAuth2Request().getRequestParameters().get("request"));
        }

 		model.addAttribute("userInfo", userInfo);