added scope-based authorities granter for introspections services, closes #835

openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/ScopeBasedIntrospectionAuthoritiesGranter.java

@@ -0,0 +1,72 @@
+/*******************************************************************************
+ * Copyright 2015 The MITRE Corporation
+ *   and the MIT Kerberos and Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package org.mitre.oauth2.introspectingfilter.service.impl;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+
+import org.mitre.oauth2.introspectingfilter.service.IntrospectionAuthorityGranter;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.oauth2.common.util.OAuth2Utils;
+
+import com.google.gson.JsonObject;
+
+/**
+ * @author jricher
+ *
+ */
+public class ScopeBasedIntrospectionAuthoritiesGranter implements IntrospectionAuthorityGranter {
+	
+	private List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_API");
+
+	/* (non-Javadoc)
+	 * @see org.mitre.oauth2.introspectingfilter.IntrospectionAuthorityGranter#getAuthorities(net.minidev.json.JSONObject)
+	 */
+	@Override
+	public List<GrantedAuthority> getAuthorities(JsonObject introspectionResponse) {
+		List<GrantedAuthority> auth = new ArrayList<>(getAuthorities());
+		
+		if (introspectionResponse.has("scope") && introspectionResponse.get("scope").isJsonPrimitive()) {
+			String scopeString = introspectionResponse.get("scope").getAsString();
+			Set<String> scopes = OAuth2Utils.parseParameterList(scopeString);
+			for (String scope : scopes) {
+				auth.add(new SimpleGrantedAuthority("OAUTH_SCOPE_" + scope));
+			}
+		}
+		
+		return auth;
+	}
+
+	/**
+	 * @return the authorities
+	 */
+	public List<GrantedAuthority> getAuthorities() {
+		return authorities;
+	}
+
+	/**
+	 * @param authorities the authorities to set
+	 */
+	public void setAuthorities(List<GrantedAuthority> authorities) {
+		this.authorities = authorities;
+	}
+
+}

openid-connect-client/src/test/java/org/mitre/oauth2/introspectingfilter/service/impl/TestScopeBasedIntrospectionAuthoritiesGranter.java

@@ -0,0 +1,85 @@
+/*******************************************************************************
+ * Copyright 2015 The MITRE Corporation
+ *   and the MIT Kerberos and Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package org.mitre.oauth2.introspectingfilter.service.impl;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+
+import com.google.gson.JsonObject;
+
+import static org.junit.Assert.assertTrue;
+
+/**
+ * @author jricher
+ *
+ */
+public class TestScopeBasedIntrospectionAuthoritiesGranter {
+
+	private JsonObject introspectionResponse;
+
+	private ScopeBasedIntrospectionAuthoritiesGranter granter = new ScopeBasedIntrospectionAuthoritiesGranter();
+	
+	/**
+	 * @throws java.lang.Exception
+	 */
+	@Before
+	public void setUp() throws Exception {
+		introspectionResponse = new JsonObject();
+	}
+
+	/**
+	 * Test method for {@link org.mitre.oauth2.introspectingfilter.service.impl.ScopeBasedIntrospectionAuthoritiesGranter#getAuthorities(com.google.gson.JsonObject)}.
+	 */
+	@Test
+	public void testGetAuthoritiesJsonObject_withScopes() {
+		introspectionResponse.addProperty("scope", "foo bar baz batman");
+		
+		List<GrantedAuthority> expected = new ArrayList<>();
+		expected.add(new SimpleGrantedAuthority("ROLE_API"));
+		expected.add(new SimpleGrantedAuthority("OAUTH_SCOPE_foo"));
+		expected.add(new SimpleGrantedAuthority("OAUTH_SCOPE_bar"));
+		expected.add(new SimpleGrantedAuthority("OAUTH_SCOPE_baz"));
+		expected.add(new SimpleGrantedAuthority("OAUTH_SCOPE_batman"));
+		
+		List<GrantedAuthority> authorities = granter.getAuthorities(introspectionResponse);
+		
+		assertTrue(authorities.containsAll(expected));
+		assertTrue(expected.containsAll(authorities));
+	}
+
+	/**
+	 * Test method for {@link org.mitre.oauth2.introspectingfilter.service.impl.ScopeBasedIntrospectionAuthoritiesGranter#getAuthorities(com.google.gson.JsonObject)}.
+	 */
+	@Test
+	public void testGetAuthoritiesJsonObject_withoutScopes() {
+		
+		List<GrantedAuthority> expected = new ArrayList<>();
+		expected.add(new SimpleGrantedAuthority("ROLE_API"));
+		
+		List<GrantedAuthority> authorities = granter.getAuthorities(introspectionResponse);
+		
+		assertTrue(authorities.containsAll(expected));
+		assertTrue(expected.containsAll(authorities));
+	}
+
+}