completed rudimentary UMA authorization API.

Working: resource set registration, permission ticket creation, RPT creation from ticket Still missing: adding required claims to resource set, adding provided claims to permission ticket
2015-03-17 22:26:12 -04:00 · 2015-03-17 22:26:12 -04:00 · 7df31f1e87
parent e1769d1545
commit 7df31f1e87
4 changed files with 112 additions and 12 deletions
--- a/openid-connect-server-webapp/src/main/resources/db/clients.sql
+++ b/openid-connect-server-webapp/src/main/resources/db/clients.sql
@ -11,7 +11,9 @@ START TRANSACTION;
 -- 

 INSERT INTO client_details_TEMP (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) VALUES
-	('client', 'secret', 'Test Client', false, null, 3600, 600, true);
+	('client', 'secret', 'Test Client', false, null, 3600, 600, true),
+	('rs', 'secret', 'Test UMA RS', false, null, null, 600, false),
+	('c', 'secret', 'Test UMA Client', false, null, null, 600, false);

 INSERT INTO client_scope_TEMP (owner_id, scope) VALUES
 	('client', 'openid'),
@ -19,7 +21,9 @@ INSERT INTO client_scope_TEMP (owner_id, scope) VALUES
 	('client', 'email'),
 	('client', 'address'),
 	('client', 'phone'),
-	('client', 'offline_access');
+	('client', 'offline_access'),
+	('rs', 'uma_protection'),
+	('c', 'uma_authorization');

 INSERT INTO client_redirect_uri_TEMP (owner_id, redirect_uri) VALUES
 	('client', 'http://localhost/'),
@ -29,7 +33,11 @@ INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES
 	('client', 'authorization_code'),
 	('client', 'urn:ietf:params:oauth:grant_type:redelegate'),
 	('client', 'implicit'),
-	('client', 'refresh_token');
+	('client', 'refresh_token'),
+	('rs', 'authorization_code'),
+	('rs', 'implicit'),
+	('c', 'authorization_code'),
+	('c', 'implicit');
 	
 --
 -- Merge the temporary clients safely into the database. This is a two-step process to keep clients from being created on every startup with a persistent store.
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultIntrospectionResultAssembler.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultIntrospectionResultAssembler.java
@ -24,6 +24,7 @@ import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
 import org.mitre.oauth2.model.OAuth2RefreshTokenEntity;
 import org.mitre.oauth2.service.IntrospectionResultAssembler;
 import org.mitre.openid.connect.model.UserInfo;
+import org.mitre.uma.model.Permission;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
@ -53,9 +54,26 @@ public class DefaultIntrospectionResultAssembler implements IntrospectionResultA

 		result.put(ACTIVE, true);

-		Set<String> scopes = Sets.intersection(authScopes, accessToken.getScope());
-		
-		result.put(SCOPE, Joiner.on(SCOPE_SEPARATOR).join(scopes));
+		if (accessToken.getPermissions() != null && !accessToken.getPermissions().isEmpty()) {
+
+			Set<Object> permissions = Sets.newHashSet();
+			
+			for (Permission perm : accessToken.getPermissions()) {
+				Map<String, Object> o = newLinkedHashMap();
+				o.put("resource_set_id", perm.getResourceSet().getId().toString());
+				Set<String> scopes = Sets.newHashSet(perm.getScopes());
+				o.put("scopes", scopes);
+				permissions.add(o);
+			}
+			
+			result.put("permissions", permissions);
+			
+		} else {
+			Set<String> scopes = Sets.intersection(authScopes, accessToken.getScope());
+			
+			result.put(SCOPE, Joiner.on(SCOPE_SEPARATOR).join(scopes));
+			
+		}

 		if (accessToken.getExpiration() != null) {
 			try {
--- a/openid-connect-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java
@ -17,16 +17,22 @@

 package org.mitre.uma.web;

-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 import java.util.Collection;
 import java.util.HashSet;
+import java.util.Map;
+import java.util.UUID;

+import org.mitre.jwt.signer.service.JWTSigningAndValidationService;
+import org.mitre.oauth2.model.AuthenticationHolderEntity;
+import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
+import org.mitre.oauth2.repository.AuthenticationHolderRepository;
+import org.mitre.oauth2.repository.OAuth2TokenRepository;
+import org.mitre.oauth2.service.ClientDetailsEntityService;
 import org.mitre.oauth2.service.OAuth2TokenEntityService;
 import org.mitre.oauth2.service.SystemScopeService;
 import org.mitre.oauth2.web.AuthenticationUtilities;
+import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
 import org.mitre.openid.connect.service.OIDCTokenService;
 import org.mitre.openid.connect.view.HttpCodeView;
 import org.mitre.openid.connect.view.JsonEntityView;
@ -35,11 +41,14 @@ import org.mitre.uma.model.Claim;
 import org.mitre.uma.model.PermissionTicket;
 import org.mitre.uma.model.ResourceSet;
 import org.mitre.uma.service.PermissionService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.security.oauth2.provider.error.WebResponseExceptionTranslator;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
@ -49,11 +58,18 @@ import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;

+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
 import com.google.gson.JsonArray;
 import com.google.gson.JsonElement;
 import com.google.gson.JsonObject;
 import com.google.gson.JsonParser;
 import com.google.gson.JsonPrimitive;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.SignedJWT;

 /**
 * @author jricher
@ -77,6 +93,14 @@ public class AuthorizationRequestEndpoint {
 	
 	@Autowired
 	private OIDCTokenService oidcTokenService;
+	
+	/////// TODO: TEMPORARY
+	@Autowired private AuthenticationHolderRepository authenticationHolderRepository;
+	@Autowired private OAuth2TokenRepository tokenRepository;
+	@Autowired private ClientDetailsEntityService clientService;
+	@Autowired private ConfigurationPropertiesBean configBean;
+	@Autowired private JWTSigningAndValidationService jwtService;
+	////////

 	@Autowired
 	private WebResponseExceptionTranslator providerExceptionHandler;
@ -136,10 +160,45 @@ public class AuthorizationRequestEndpoint {
 					
 					if (claimsUnmatched.isEmpty()) {
 						// we matched all the claims, create and return the token
-						//OAuth2AccessTokenEntity accessToken = oidcTokenService.createPermissionedToken(auth, perm);
 						
-						// PUNT!
-						return JsonErrorView.VIEWNAME;
+						
+						// TODO: move this whole mess to the OIDCTokenService
+						
+						OAuth2Authentication o2auth = (OAuth2Authentication) auth;
+						
+						OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity();
+						AuthenticationHolderEntity authHolder = new AuthenticationHolderEntity();
+						authHolder.setAuthentication(o2auth);
+						authHolder = authenticationHolderRepository.save(authHolder);
+						
+						token.setAuthenticationHolder(authHolder);
+						
+						ClientDetailsEntity client = clientService.loadClientByClientId(o2auth.getOAuth2Request().getClientId());
+						token.setClient(client);
+						
+						token.setPermissions(Sets.newHashSet(ticket.getPermission()));
+						
+						
+						JWTClaimsSet claims = new JWTClaimsSet();
+						
+						claims.setAudience(Lists.newArrayList(ticket.getPermission().getResourceSet().getId().toString()));
+						claims.setIssuer(configBean.getIssuer());
+						claims.setJWTID(UUID.randomUUID().toString());
+						
+						JWSAlgorithm signingAlgorithm = jwtService.getDefaultSigningAlgorithm();
+						SignedJWT signed = new SignedJWT(new JWSHeader(signingAlgorithm), claims);
+						
+						jwtService.signJwt(signed);
+						
+						token.setJwt(signed);
+						
+						tokenService.saveAccessToken(token);
+						
+						Map<String, String> entity = ImmutableMap.of("rpt", token.getValue());
+						
+						m.addAttribute(JsonEntityView.ENTITY, entity);
+						
+						return JsonEntityView.VIEWNAME;
 						
 					} else {
 						
--- a/openid-connect-server/src/main/java/org/mitre/uma/web/ResourceSetRegistrationEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/uma/web/ResourceSetRegistrationEndpoint.java
@ -124,6 +124,21 @@ public class ResourceSetRegistrationEndpoint {
 		
 		ResourceSet saved = resourceSetService.saveNew(rs);
 		
+		///////
+		// TODO: REMOVE
+		///////
+		/*
+		Claim c = new Claim();
+		c.setName("email");
+		c.setValue("bob@bob.com");
+		c.setIssuer(Sets.newHashSet("https://bob.com/"));
+		saved.setClaimsRequired(Sets.newHashSet(c));
+		saved = resourceSetService.update(saved, saved);
+		*/
+		///////
+		/// END: REMOVE
+		///////
+		
 		m.addAttribute("code", HttpStatus.CREATED);
 		m.addAttribute("entity", saved);
 		m.addAttribute("location", config.getIssuer() + URL + "/" + rs.getId());