collapsed two serialization functions into one

pull/516/head
Justin Richer 11 years ago
parent d919e2e330
commit 7a4366c083

@ -1,6 +1,6 @@
package org.mitre.openid.connect.view;
import java.util.List;
import java.util.HashSet;
import java.util.Map.Entry;
import java.util.Set;
@ -14,29 +14,6 @@ public class UserInfoSerializer {
private static ScopeClaimTranslationService translator = new ScopeClaimTranslationService();
/**
* Filter the UserInfo object by scope, using our ScopeClaimTranslationService to determine
* which claims are allowed for each given scope.
*
* @param ui the UserInfo to filter
* @param scope the allowed scopes to filter by
* @return the filtered JsonObject result
*/
public static JsonObject filterByScope(UserInfo ui, Set<String> scope) {
JsonObject uiJson = ui.toJson();
List<String> filteredClaims = translator.getClaimsForScopeSet(scope);
JsonObject result = new JsonObject();
for (String claim : filteredClaims) {
if (uiJson.has(claim)) {
result.add(claim, uiJson.get(claim));
}
}
return result;
}
/**
* Build a JSON response according to the request object received.
*
@ -51,32 +28,43 @@ public class UserInfoSerializer {
*/
public static JsonObject toJsonFromRequestObj(UserInfo ui, Set<String> scope, JsonObject authorizedClaims, JsonObject requestedClaims) {
// Only proceed if we have both requested claims and authorized claims list. Otherwise just return
// the scope-filtered claim set.
if (requestedClaims == null || authorizedClaims == null) {
return filterByScope(ui, scope);
}
// get the base object
JsonObject obj = ui.toJson();
List<String> allowedByScope = translator.getClaimsForScopeSet(scope);
Set<String> allowedByScope = translator.getClaimsForScopeSet(scope);
Set<String> authorizedByClaims = new HashSet<String>();
Set<String> requestedByClaims = new HashSet<String>();
if (authorizedClaims != null) {
JsonObject userinfoAuthorized = authorizedClaims.getAsJsonObject().get("userinfo").getAsJsonObject();
for (Entry<String, JsonElement> entry : userinfoAuthorized.getAsJsonObject().entrySet()) {
authorizedByClaims.add(entry.getKey());
}
}
if (requestedClaims != null) {
JsonObject userinfoRequested = requestedClaims.getAsJsonObject().get("userinfo").getAsJsonObject();
if (userinfoAuthorized == null || !userinfoAuthorized.isJsonObject()) {
return obj;
for (Entry<String, JsonElement> entry : userinfoRequested.getAsJsonObject().entrySet()) {
requestedByClaims.add(entry.getKey());
}
}
// Filter claims by performing a manual intersection of claims that are allowed by the given scope, requested, and authorized.
// We cannot use Sets.intersection() or similar because Entry<> objects will evaluate to being unequal if their values are
// different, whereas we are only interested in matching the Entry<>'s key values.
JsonObject result = new JsonObject();
for (Entry<String, JsonElement> entry : userinfoAuthorized.getAsJsonObject().entrySet()) {
if (userinfoRequested.has(entry.getKey()) && allowedByScope.contains(entry.getKey())) {
for (Entry<String, JsonElement> entry : obj.entrySet()) {
if (allowedByScope.contains(entry.getKey())
|| authorizedByClaims.contains(entry.getKey())) {
// it's allowed either by scope or by the authorized claims (either way is fine with us)
if (requestedByClaims.isEmpty() || requestedByClaims.contains(entry.getKey())) {
// the requested claims are empty (so we allow all), or they're not empty and this claim was specifically asked for
result.add(entry.getKey(), entry.getValue());
} // otherwise there were specific claims requested and this wasn't one of them
}
}
return result;
}
}

@ -108,11 +108,7 @@ public class UserInfoView extends AbstractView {
if (model.get("requestedClaims") != null) {
requestedClaims = jsonParser.parse((String) model.get("requestedClaims")).getAsJsonObject();
}
if (authorizedClaims != null || requestedClaims != null) {
gson.toJson(UserInfoSerializer.toJsonFromRequestObj(userInfo, scope, authorizedClaims, requestedClaims), out);
} else {
gson.toJson(UserInfoSerializer.filterByScope(userInfo, scope), out);
}
} catch (IOException e) {

Loading…
Cancel
Save