github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

separated claims processing out into its own service, closes #796

pull/708/merge
Justin Richer 10 years ago
parent
b811594ad4
commit
7951ff5086
3 changed files with 124 additions and 28 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 45
      openid-connect-common/src/main/java/org/mitre/uma/service/ClaimsProcessingService.java
  2. 65
      openid-connect-server/src/main/java/org/mitre/uma/service/MatchAllClaimsProcessor.java
  3. 42
      openid-connect-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java

45
openid-connect-common/src/main/java/org/mitre/uma/service/ClaimsProcessingService.java
Unescape View File

@ -0,0 +1,45 @@
/*******************************************************************************
* Copyright 2015 The MITRE Corporation
* and the MIT Kerberos and Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*******************************************************************************/
package org.mitre.uma.service;
import java.util.Collection;
import org.mitre.uma.model.Claim;
/**
*
* Processes claims presented during an UMA transaction.
*
* @author jricher
*
*/
public interface ClaimsProcessingService {
/**
*
* Determine whether or not the claims that have been supplied are
* sufficient to fulfill the requirements given by the claims that
* are required.
*
* @param claimsRequired the required claims to check against
* @param claimsSupplied the supplied claims to test
* @return the unmatched claims (if any), an empty set if the claims are satisfied, never null
*/
public Collection<Claim> claimsAreSatisfied(Collection<Claim> claimsRequired, Collection<Claim> claimsSupplied);
}

65
openid-connect-server/src/main/java/org/mitre/uma/service/MatchAllClaimsProcessor.java
Unescape View File

@ -0,0 +1,65 @@
/*******************************************************************************
* Copyright 2015 The MITRE Corporation
* and the MIT Kerberos and Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*******************************************************************************/
package org.mitre.uma.service;
import java.util.Collection;
import java.util.HashSet;
import org.mitre.uma.model.Claim;
import org.springframework.stereotype.Service;
/**
* Tests if all the claims in the required set have a matching
* value in the supplied set.
*
* @author jricher
*
*/
@Service("matchAllClaimsProcessor")
public class MatchAllClaimsProcessor implements ClaimsProcessingService {
@Override
public Collection<Claim> claimsAreSatisfied(Collection<Claim> claimsRequired, Collection<Claim> claimsSupplied) {
Collection<Claim> claimsUnmatched = new HashSet<>(claimsRequired);
// see if each of the required claims has a counterpart in the supplied claims set
for (Claim required : claimsRequired) {
for (Claim supplied : claimsSupplied) {
if (required.getIssuer().containsAll(supplied.getIssuer())) {
// it's from the right issuer
if (required.getName().equals(supplied.getName()) &&
required.getValue().equals(supplied.getValue())) {
// the claim matched, pull it from the set
claimsUnmatched.remove(required);
}
}
}
}
// if there's anything left then the claims aren't satisfied, return the leftovers
return claimsUnmatched;
}
}

42
openid-connect-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java
Unescape View File

@ -18,6 +18,7 @@
package org.mitre.uma.web; package org.mitre.uma.web;
import java.util.Collection; import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet; import java.util.HashSet;
import java.util.Map; import java.util.Map;
import java.util.UUID; import java.util.UUID;
@ -40,6 +41,7 @@ import org.mitre.openid.connect.view.JsonErrorView;
import org.mitre.uma.model.Claim; import org.mitre.uma.model.Claim;
import org.mitre.uma.model.PermissionTicket; import org.mitre.uma.model.PermissionTicket;
import org.mitre.uma.model.ResourceSet; import org.mitre.uma.model.ResourceSet;
import org.mitre.uma.service.ClaimsProcessingService;
import org.mitre.uma.service.PermissionService; import org.mitre.uma.service.PermissionService;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@ -105,6 +107,9 @@ public class AuthorizationRequestEndpoint {
@Autowired @Autowired
private WebResponseExceptionTranslator providerExceptionHandler; private WebResponseExceptionTranslator providerExceptionHandler;
@Autowired
private ClaimsProcessingService claimsProcessingService;
@RequestMapping(method = RequestMethod.POST, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE) @RequestMapping(method = RequestMethod.POST, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
public String authorizationRequest(@RequestBody String jsonString, Model m, Authentication auth) { public String authorizationRequest(@RequestBody String jsonString, Model m, Authentication auth) {
@ -132,37 +137,18 @@ public class AuthorizationRequestEndpoint {
// found the ticket, see if it's any good // found the ticket, see if it's any good
ResourceSet rs = ticket.getPermission().getResourceSet(); ResourceSet rs = ticket.getPermission().getResourceSet();
Collection<Claim> claimsRequired = rs.getClaimsRequired();
Collection<Claim> claimsSupplied = ticket.getClaimsSupplied();
Collection<Claim> claimsUnmatched = new HashSet<>(claimsRequired); if (rs.getClaimsRequired() == null || rs.getClaimsRequired().isEmpty()) {
// the required claims are empty, this resource has no way to be authorized
// see if each of the required claims has a counterpart in the supplied claims set
// TODO: move this component to a claims checking service (#796) m.addAttribute(JsonErrorView.ERROR, "not_authorized");
for (Claim required : claimsRequired) { m.addAttribute(JsonErrorView.ERROR_MESSAGE, "This resource set can not be accessed.");
for (Claim supplied : claimsSupplied) { m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN);
if (required.getIssuer().containsAll(supplied.getIssuer())) {
// it's from the right issuer
if (required.getName().equals(supplied.getName()) &&
required.getValue().equals(supplied.getValue())) {
// the claim matched, pull it from the set
claimsUnmatched.remove(required);
}
}
}
} }
Collection<Claim> claimsUnmatched = claimsProcessingService.claimsAreSatisfied(rs.getClaimsRequired(), ticket.getClaimsSupplied());
// note that if the required claims are empty we don't want to return a token if (claimsUnmatched.isEmpty()) {
if (!claimsRequired.isEmpty() && claimsUnmatched.isEmpty()) {
// we matched all the claims, create and return the token
// TODO: move this whole mess to the OIDCTokenService (#797) // TODO: move this whole mess to the OIDCTokenService (#797)

Write Preview
Loading…
Cancel
Save