From 906db0ac862bf53917618ee0a8b851d16b19611a Mon Sep 17 00:00:00 2001
From: Amanda Anganes <aanganes@mitre.org>
Date: Mon, 29 Jul 2013 09:17:50 -0400
Subject: [PATCH] Opened token api access to all users; restricted to only show
currently-logged-in-users tokens
---
.../repository/OAuth2TokenRepository.java | 2 +-
.../service/OAuth2TokenEntityService.java | 7 ++-
.../impl/JpaOAuth2TokenRepository.java | 3 +-
.../DefaultOAuth2ProviderTokenService.java | 28 +++++++++--
.../org/mitre/oauth2/web/AccessTokenAPI.java | 47 +++++--------------
.../org/mitre/oauth2/web/RefreshTokenAPI.java | 45 +++++-------------
6 files changed, 54 insertions(+), 78 deletions(-)
diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/repository/OAuth2TokenRepository.java b/openid-connect-common/src/main/java/org/mitre/oauth2/repository/OAuth2TokenRepository.java
index 37b569291..b5a5a945d 100644
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/repository/OAuth2TokenRepository.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/repository/OAuth2TokenRepository.java
@@ -62,7 +62,7 @@ public interface OAuth2TokenRepository {
public OAuth2AccessTokenEntity getAccessTokenForIdToken(OAuth2AccessTokenEntity idToken);
public Set<OAuth2AccessTokenEntity> getAllAccessTokens();
-
+
public Set<OAuth2RefreshTokenEntity> getAllRefreshTokens();
}
diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/service/OAuth2TokenEntityService.java b/openid-connect-common/src/main/java/org/mitre/oauth2/service/OAuth2TokenEntityService.java
index 8cd64ccd5..bc43ed08a 100644
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/service/OAuth2TokenEntityService.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/service/OAuth2TokenEntityService.java
@@ -27,10 +27,6 @@ import org.springframework.security.oauth2.provider.token.AuthorizationServerTok
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
public interface OAuth2TokenEntityService extends AuthorizationServerTokenServices, ResourceServerTokenServices {
-
- public Set<OAuth2AccessTokenEntity> getAllAccessTokens();
-
- public Set<OAuth2RefreshTokenEntity> getAllRefreshTokens();
@Override
public OAuth2AccessTokenEntity readAccessToken(String accessTokenValue);
@@ -64,4 +60,7 @@ public interface OAuth2TokenEntityService extends AuthorizationServerTokenServic
public OAuth2RefreshTokenEntity getRefreshTokenById(Long id);
+ public Set<OAuth2AccessTokenEntity> getAllAccessTokensForUser(String name);
+
+ public Set<OAuth2RefreshTokenEntity> getAllRefreshTokensForUser(String name);
}
diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/repository/impl/JpaOAuth2TokenRepository.java b/openid-connect-server/src/main/java/org/mitre/oauth2/repository/impl/JpaOAuth2TokenRepository.java
index b41ccbb20..9b009225f 100644
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/repository/impl/JpaOAuth2TokenRepository.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/repository/impl/JpaOAuth2TokenRepository.java
@@ -48,8 +48,9 @@ public class JpaOAuth2TokenRepository implements OAuth2TokenRepository {
@Override
public Set<OAuth2RefreshTokenEntity> getAllRefreshTokens() {
TypedQuery<OAuth2RefreshTokenEntity> query = manager.createNamedQuery("OAuth2RefreshTokenEntity.getAll", OAuth2RefreshTokenEntity.class);
- return new LinkedHashSet<OAuth2RefreshTokenEntity>(query.getResultList());
+ return new LinkedHashSet<OAuth2RefreshTokenEntity>(query.getResultList());
}
+
@Override
public OAuth2AccessTokenEntity getAccessTokenByValue(String accessTokenValue) {
diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
index 53275502c..e926afa0a 100644
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
@@ -72,12 +72,32 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
@Autowired
private TokenEnhancer tokenEnhancer;
- public Set<OAuth2AccessTokenEntity> getAllAccessTokens() {
- return tokenRepository.getAllAccessTokens();
+ public Set<OAuth2AccessTokenEntity> getAllAccessTokensForUser(String id) {
+
+ Set<OAuth2AccessTokenEntity> all = tokenRepository.getAllAccessTokens();
+ Set<OAuth2AccessTokenEntity> results = Sets.newLinkedHashSet();
+
+ for (OAuth2AccessTokenEntity token : all) {
+ if (token.getAuthenticationHolder().getAuthentication().getName().equals(id)) {
+ results.add(token);
+ }
+ }
+
+ return results;
}
+
- public Set<OAuth2RefreshTokenEntity> getAllRefreshTokens() {
- return tokenRepository.getAllRefreshTokens();
+ public Set<OAuth2RefreshTokenEntity> getAllRefreshTokensForUser(String id) {
+ Set<OAuth2RefreshTokenEntity> all = tokenRepository.getAllRefreshTokens();
+ Set<OAuth2RefreshTokenEntity> results = Sets.newLinkedHashSet();
+
+ for (OAuth2RefreshTokenEntity token : all) {
+ if (token.getAuthenticationHolder().getAuthentication().getName().equals(id)) {
+ results.add(token);
+ }
+ }
+
+ return results;
}
public OAuth2AccessTokenEntity getAccessTokenById(Long id) {
diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/web/AccessTokenAPI.java b/openid-connect-server/src/main/java/org/mitre/oauth2/web/AccessTokenAPI.java
index 72390ed57..18bd4c18d 100644
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/web/AccessTokenAPI.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/web/AccessTokenAPI.java
@@ -1,5 +1,6 @@
package org.mitre.oauth2.web;
+import java.security.Principal;
import java.util.Set;
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
@@ -31,56 +32,32 @@ public class AccessTokenAPI {
private static Logger logger = LoggerFactory.getLogger(AccessTokenAPI.class);
@RequestMapping(value = "", method = RequestMethod.GET, produces = "application/json")
- public String getAll(ModelMap m) {
-
- Set<OAuth2AccessTokenEntity> allTokens = tokenService.getAllAccessTokens();
+ public String getAll(ModelMap m, Principal p) {
+ Set<OAuth2AccessTokenEntity> allTokens = tokenService.getAllAccessTokensForUser(p.getName());
m.put("entity", allTokens);
-
return "jsonEntityView";
}
@RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = "application/json")
- public String getById(@PathVariable("id") Long id, ModelMap m) {
+ public String getById(@PathVariable("id") Long id, ModelMap m, Principal p) {
OAuth2AccessTokenEntity token = tokenService.getAccessTokenById(id);
- if (token != null) {
-
- m.put("entity", token);
-
- return "jsonEntityView";
- } else {
-
+ if (token == null) {
logger.error("getToken failed; token not found: " + id);
-
m.put("code", HttpStatus.NOT_FOUND);
m.put("errorMessage", "The requested token with id " + id + " could not be found.");
return "jsonErrorView";
- }
- }
-
- @PreAuthorize("hasRole('ROLE_ADMIN')")
- @RequestMapping(value = "/{id}", method = RequestMethod.DELETE)
- public String delete(@PathVariable("id") Long id, ModelMap m) {
-
- OAuth2AccessTokenEntity token = tokenService.getAccessTokenById(id);
-
- if (token != null) {
-
- tokenService.revokeAccessToken(token);
- m.put("code", HttpStatus.OK);
- return "httpCodeView";
-
+ } else if (!token.getAuthenticationHolder().getAuthentication().getName().equals(p.getName())) {
+ logger.error("getToken failed; token does not belong to principal " + p.getName());
+ m.put("code", HttpStatus.FORBIDDEN);
+ m.put("errorMessage", "You do not have permission to view this token");
+ return "jsonErrorView";
} else {
-
- logger.error("Delete token failed; token not found: " + id);
-
- m.put("code", HttpStatus.NOT_FOUND);
- m.put("errorMessage", "The requested token with id " + id + " could not be found.");
- return "jsonErrorView";
+ m.put("entity", token);
+ return "jsonEntityView";
}
-
}
}
diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/web/RefreshTokenAPI.java b/openid-connect-server/src/main/java/org/mitre/oauth2/web/RefreshTokenAPI.java
index 4c1e8f00b..e2a2a46a4 100644
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/web/RefreshTokenAPI.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/web/RefreshTokenAPI.java
@@ -1,5 +1,6 @@
package org.mitre.oauth2.web;
+import java.security.Principal;
import java.util.Set;
import org.mitre.oauth2.model.OAuth2RefreshTokenEntity;
@@ -32,9 +33,9 @@ public class RefreshTokenAPI {
private static Logger logger = LoggerFactory.getLogger(RefreshTokenAPI.class);
@RequestMapping(value = "", method = RequestMethod.GET, produces = "application/json")
- public String getAll(ModelMap m) {
+ public String getAll(ModelMap m, Principal p) {
- Set<OAuth2RefreshTokenEntity> allTokens = tokenService.getAllRefreshTokens();
+ Set<OAuth2RefreshTokenEntity> allTokens = tokenService.getAllRefreshTokensForUser(p.getName());
m.put("entity", allTokens);
@@ -42,46 +43,24 @@ public class RefreshTokenAPI {
}
@RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = "application/json")
- public String getById(@PathVariable("id") Long id, ModelMap m) {
+ public String getById(@PathVariable("id") Long id, ModelMap m, Principal p) {
OAuth2RefreshTokenEntity token = tokenService.getRefreshTokenById(id);
- if (token != null) {
-
- m.put("entity", token);
-
- return "jsonEntityView";
- } else {
-
+ if (token == null) {
logger.error("getToken failed; token not found: " + id);
-
m.put("code", HttpStatus.NOT_FOUND);
m.put("errorMessage", "The requested token with id " + id + " could not be found.");
return "jsonErrorView";
- }
- }
-
- @PreAuthorize("hasRole('ROLE_ADMIN')")
- @RequestMapping(value = "/{id}", method = RequestMethod.DELETE)
- public String delete(@PathVariable("id") Long id, ModelMap m) {
-
- OAuth2RefreshTokenEntity token = tokenService.getRefreshTokenById(id);
-
- if (token != null) {
-
- tokenService.revokeRefreshToken(token);
- m.put("code", HttpStatus.OK);
- return "httpCodeView";
-
+ } else if (!token.getAuthenticationHolder().getAuthentication().getName().equals(p.getName())) {
+ logger.error("getToken failed; token does not belong to principal " + p.getName());
+ m.put("code", HttpStatus.FORBIDDEN);
+ m.put("errorMessage", "You do not have permission to view this token");
+ return "jsonErrorView";
} else {
-
- logger.error("Delete token failed; token not found: " + id);
-
- m.put("code", HttpStatus.NOT_FOUND);
- m.put("errorMessage", "The requested token with id " + id + " could not be found.");
- return "jsonErrorView";
+ m.put("entity", token);
+ return "jsonEntityView";
}
-
}
}