completed rudimentary UMA authorization API.

Working: resource set registration, permission ticket creation, RPT creation from ticket

Still missing: adding required claims to resource set, adding provided claims to permission ticket
pull/708/merge
Justin Richer 2015-03-17 22:26:12 -04:00
parent e1769d1545
commit 7df31f1e87
4 changed files with 112 additions and 12 deletions

View File

@ -11,7 +11,9 @@ START TRANSACTION;
--
INSERT INTO client_details_TEMP (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) VALUES
('client', 'secret', 'Test Client', false, null, 3600, 600, true);
('client', 'secret', 'Test Client', false, null, 3600, 600, true),
('rs', 'secret', 'Test UMA RS', false, null, null, 600, false),
('c', 'secret', 'Test UMA Client', false, null, null, 600, false);
INSERT INTO client_scope_TEMP (owner_id, scope) VALUES
('client', 'openid'),
@ -19,7 +21,9 @@ INSERT INTO client_scope_TEMP (owner_id, scope) VALUES
('client', 'email'),
('client', 'address'),
('client', 'phone'),
('client', 'offline_access');
('client', 'offline_access'),
('rs', 'uma_protection'),
('c', 'uma_authorization');
INSERT INTO client_redirect_uri_TEMP (owner_id, redirect_uri) VALUES
('client', 'http://localhost/'),
@ -29,7 +33,11 @@ INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES
('client', 'authorization_code'),
('client', 'urn:ietf:params:oauth:grant_type:redelegate'),
('client', 'implicit'),
('client', 'refresh_token');
('client', 'refresh_token'),
('rs', 'authorization_code'),
('rs', 'implicit'),
('c', 'authorization_code'),
('c', 'implicit');
--
-- Merge the temporary clients safely into the database. This is a two-step process to keep clients from being created on every startup with a persistent store.

View File

@ -24,6 +24,7 @@ import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
import org.mitre.oauth2.model.OAuth2RefreshTokenEntity;
import org.mitre.oauth2.service.IntrospectionResultAssembler;
import org.mitre.openid.connect.model.UserInfo;
import org.mitre.uma.model.Permission;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
@ -53,9 +54,26 @@ public class DefaultIntrospectionResultAssembler implements IntrospectionResultA
result.put(ACTIVE, true);
Set<String> scopes = Sets.intersection(authScopes, accessToken.getScope());
result.put(SCOPE, Joiner.on(SCOPE_SEPARATOR).join(scopes));
if (accessToken.getPermissions() != null && !accessToken.getPermissions().isEmpty()) {
Set<Object> permissions = Sets.newHashSet();
for (Permission perm : accessToken.getPermissions()) {
Map<String, Object> o = newLinkedHashMap();
o.put("resource_set_id", perm.getResourceSet().getId().toString());
Set<String> scopes = Sets.newHashSet(perm.getScopes());
o.put("scopes", scopes);
permissions.add(o);
}
result.put("permissions", permissions);
} else {
Set<String> scopes = Sets.intersection(authScopes, accessToken.getScope());
result.put(SCOPE, Joiner.on(SCOPE_SEPARATOR).join(scopes));
}
if (accessToken.getExpiration() != null) {
try {

View File

@ -17,16 +17,22 @@
package org.mitre.uma.web;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.util.Collection;
import java.util.HashSet;
import java.util.Map;
import java.util.UUID;
import org.mitre.jwt.signer.service.JWTSigningAndValidationService;
import org.mitre.oauth2.model.AuthenticationHolderEntity;
import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
import org.mitre.oauth2.repository.AuthenticationHolderRepository;
import org.mitre.oauth2.repository.OAuth2TokenRepository;
import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.mitre.oauth2.service.OAuth2TokenEntityService;
import org.mitre.oauth2.service.SystemScopeService;
import org.mitre.oauth2.web.AuthenticationUtilities;
import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
import org.mitre.openid.connect.service.OIDCTokenService;
import org.mitre.openid.connect.view.HttpCodeView;
import org.mitre.openid.connect.view.JsonEntityView;
@ -35,11 +41,14 @@ import org.mitre.uma.model.Claim;
import org.mitre.uma.model.PermissionTicket;
import org.mitre.uma.model.ResourceSet;
import org.mitre.uma.service.PermissionService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.error.WebResponseExceptionTranslator;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
@ -49,11 +58,18 @@ import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import com.google.gson.JsonArray;
import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
import com.google.gson.JsonParser;
import com.google.gson.JsonPrimitive;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
/**
* @author jricher
@ -77,6 +93,14 @@ public class AuthorizationRequestEndpoint {
@Autowired
private OIDCTokenService oidcTokenService;
/////// TODO: TEMPORARY
@Autowired private AuthenticationHolderRepository authenticationHolderRepository;
@Autowired private OAuth2TokenRepository tokenRepository;
@Autowired private ClientDetailsEntityService clientService;
@Autowired private ConfigurationPropertiesBean configBean;
@Autowired private JWTSigningAndValidationService jwtService;
////////
@Autowired
private WebResponseExceptionTranslator providerExceptionHandler;
@ -136,10 +160,45 @@ public class AuthorizationRequestEndpoint {
if (claimsUnmatched.isEmpty()) {
// we matched all the claims, create and return the token
//OAuth2AccessTokenEntity accessToken = oidcTokenService.createPermissionedToken(auth, perm);
// PUNT!
return JsonErrorView.VIEWNAME;
// TODO: move this whole mess to the OIDCTokenService
OAuth2Authentication o2auth = (OAuth2Authentication) auth;
OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity();
AuthenticationHolderEntity authHolder = new AuthenticationHolderEntity();
authHolder.setAuthentication(o2auth);
authHolder = authenticationHolderRepository.save(authHolder);
token.setAuthenticationHolder(authHolder);
ClientDetailsEntity client = clientService.loadClientByClientId(o2auth.getOAuth2Request().getClientId());
token.setClient(client);
token.setPermissions(Sets.newHashSet(ticket.getPermission()));
JWTClaimsSet claims = new JWTClaimsSet();
claims.setAudience(Lists.newArrayList(ticket.getPermission().getResourceSet().getId().toString()));
claims.setIssuer(configBean.getIssuer());
claims.setJWTID(UUID.randomUUID().toString());
JWSAlgorithm signingAlgorithm = jwtService.getDefaultSigningAlgorithm();
SignedJWT signed = new SignedJWT(new JWSHeader(signingAlgorithm), claims);
jwtService.signJwt(signed);
token.setJwt(signed);
tokenService.saveAccessToken(token);
Map<String, String> entity = ImmutableMap.of("rpt", token.getValue());
m.addAttribute(JsonEntityView.ENTITY, entity);
return JsonEntityView.VIEWNAME;
} else {

View File

@ -124,6 +124,21 @@ public class ResourceSetRegistrationEndpoint {
ResourceSet saved = resourceSetService.saveNew(rs);
///////
// TODO: REMOVE
///////
/*
Claim c = new Claim();
c.setName("email");
c.setValue("bob@bob.com");
c.setIssuer(Sets.newHashSet("https://bob.com/"));
saved.setClaimsRequired(Sets.newHashSet(c));
saved = resourceSetService.update(saved, saved);
*/
///////
/// END: REMOVE
///////
m.addAttribute("code", HttpStatus.CREATED);
m.addAttribute("entity", saved);
m.addAttribute("location", config.getIssuer() + URL + "/" + rs.getId());