refactored introspection to allow for UMA style token access

openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java

@@ -16,7 +16,6 @@
  *******************************************************************************/
 package org.mitre.oauth2.web;
 
-import java.security.Principal;
 import java.util.Map;
 import java.util.Set;
 
@@ -27,6 +26,7 @@ import org.mitre.oauth2.service.ClientDetailsEntityService;
 import org.mitre.oauth2.service.IntrospectionAuthorizer;
 import org.mitre.oauth2.service.IntrospectionResultAssembler;
 import org.mitre.oauth2.service.OAuth2TokenEntityService;
+import org.mitre.oauth2.service.SystemScopeService;
 import org.mitre.openid.connect.model.UserInfo;
 import org.mitre.openid.connect.service.UserInfoService;
 import org.mitre.openid.connect.view.HttpCodeView;
@@ -35,8 +35,9 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
-import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -45,6 +46,8 @@ import org.springframework.web.bind.annotation.RequestParam;
 import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableMap;
 
+import static org.mitre.oauth2.web.AuthenticationUtilities.ensureOAuthScope;
+
 @Controller
 public class IntrospectionEndpoint {
 
@@ -73,12 +76,10 @@ public class IntrospectionEndpoint {
 		this.tokenServices = tokenServices;
 	}
 
-	@PreAuthorize("hasRole('ROLE_CLIENT')")
 	@RequestMapping("/introspect")
 	public String verify(@RequestParam("token") String tokenValue,
-			@RequestParam(value = "resource_id", required = false) String resourceId,
 			@RequestParam(value = "token_type_hint", required = false) String tokenType,
-			Principal p, Model model) {
+			Authentication auth, Model model) {
 
 		if (Strings.isNullOrEmpty(tokenValue)) {
 			logger.error("Verify failed; token value is null");
@@ -87,6 +88,46 @@ public class IntrospectionEndpoint {
 			return JsonEntityView.VIEWNAME;
 		}
 
+		ClientDetailsEntity authClient = null;
+		
+		if (auth instanceof OAuth2Authentication) {
+			// the client authenticated with OAuth, do our UMA checks
+			ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE);
+			
+			// get out the client that was issued the access token (not the token being introspected)
+			OAuth2Authentication o2a = (OAuth2Authentication) auth;
+			
+			String authClientId = o2a.getOAuth2Request().getClientId();
+			authClient = clientService.loadClientByClientId(authClientId);
+			
+		} else {
+			// the client authenticated directly, make sure it's got the right access
+			
+			String authClientId = auth.getName(); // direct authentication puts the client_id into the authentication's name field
+			authClient = clientService.loadClientByClientId(authClientId);
+			
+			if (!AuthenticationUtilities.hasRole(auth, "ROLE_CLIENT")
+					|| !authClient.isAllowIntrospection()) {
+				
+				// this client isn't allowed to do direct introspection
+				
+				logger.error("Client " + authClient.getClientId() + " is not allowed to call introspection endpoint");
+				model.addAttribute("code", HttpStatus.FORBIDDEN);
+				return HttpCodeView.VIEWNAME;
+
+			}
+			
+		}
+		
+		if (authClient != null) {
+			// shouldn't ever get here, if the client's been authenticated by now it should exist
+			logger.error("Introspection client wasn't found");
+			model.addAttribute("code", HttpStatus.FORBIDDEN);
+			return HttpCodeView.VIEWNAME;
+		}
+
+		// now we need to look up the token in our token stores
+		
 		OAuth2AccessTokenEntity accessToken = null;
 		OAuth2RefreshTokenEntity refreshToken = null;
 		ClientDetailsEntity tokenClient;
@@ -101,10 +142,12 @@ public class IntrospectionEndpoint {
 			tokenClient = accessToken.getClient();
 			scopes = accessToken.getScope();
 
-			user = userInfoService.getByUsernameAndClientId(accessToken.getAuthenticationHolder().getAuthentication().getName(), tokenClient.getClientId());
+			// get the user information of the user that authorized this token in the first place
+			String userName = accessToken.getAuthenticationHolder().getAuthentication().getName();
+			user = userInfoService.getByUsernameAndClientId(userName, tokenClient.getClientId());
 
 		} catch (InvalidTokenException e) {
-			logger.info("Verify failed; Invalid access token. Checking refresh token.");
+			logger.info("Invalid access token. Checking refresh token.");
 			try {
 
 				// check refresh tokens next
@@ -113,39 +156,45 @@ public class IntrospectionEndpoint {
 				tokenClient = refreshToken.getClient();
 				scopes = refreshToken.getAuthenticationHolder().getAuthentication().getOAuth2Request().getScope();
 
-				user = userInfoService.getByUsernameAndClientId(refreshToken.getAuthenticationHolder().getAuthentication().getName(), tokenClient.getClientId());
+				// get the user information of the user that authorized this token in the first place
+				String userName = refreshToken.getAuthenticationHolder().getAuthentication().getName();
+				user = userInfoService.getByUsernameAndClientId(userName, tokenClient.getClientId());
 
 			} catch (InvalidTokenException e2) {
-				logger.error("Verify failed; Invalid access/refresh token", e2);
+				logger.error("Invalid refresh token", e2);
 				Map<String,Boolean> entity = ImmutableMap.of("active", Boolean.FALSE);
 				model.addAttribute("entity", entity);
 				return JsonEntityView.VIEWNAME;
 			}
 		}
 
-		// clientID is the principal name in the authentication
+		if (accessToken == null && refreshToken == null) {
-		String clientId = p.getName();
+		}
-		ClientDetailsEntity authClient = clientService.loadClientByClientId(clientId);
 		
-		if (authClient.isAllowIntrospection()) {
+		if (introspectionAuthorizer.isIntrospectionPermitted(authClient, tokenClient, scopes)) {
-			if (introspectionAuthorizer.isIntrospectionPermitted(authClient, tokenClient, scopes)) {
+			// if it's a valid token, we'll print out information on it
-				// if it's a valid token, we'll print out information on it
+			
-				Map<String, Object> entity = accessToken != null
+			if (accessToken != null) {
-						? introspectionResultAssembler.assembleFrom(accessToken, user)
+				Map<String, Object> entity = introspectionResultAssembler.assembleFrom(accessToken, user);
-								: introspectionResultAssembler.assembleFrom(refreshToken, user);
+				model.addAttribute("entity", entity);
-						model.addAttribute("entity", entity);
+			} else if (refreshToken != null) {
-						return JsonEntityView.VIEWNAME;
+				Map<String, Object> entity = introspectionResultAssembler.assembleFrom(refreshToken, user);
+				model.addAttribute("entity", entity);
 			} else {
-				logger.error("Verify failed; client configuration or scope don't permit token introspection");
+				// no tokens were found (we shouldn't get here)
-				model.addAttribute("code", HttpStatus.FORBIDDEN);
+				logger.error("Verify failed; Invalid access/refresh token");
-				return HttpCodeView.VIEWNAME;
+				Map<String,Boolean> entity = ImmutableMap.of("active", Boolean.FALSE);
+				model.addAttribute("entity", entity);
+				return JsonEntityView.VIEWNAME;
 			}
+			
+			return JsonEntityView.VIEWNAME;
+			
 		} else {
-			logger.error("Verify failed; client " + clientId + " is not allowed to call introspection endpoint");
+			logger.error("Verify failed; client configuration or scope don't permit token introspection");
 			model.addAttribute("code", HttpStatus.FORBIDDEN);
 			return HttpCodeView.VIEWNAME;
 		}
-
 	}
 
 }