Opened token api access to all users; restricted to only show currently-logged-in-users tokens

openid-connect-common/src/main/java/org/mitre/oauth2/service/OAuth2TokenEntityService.java

@@ -28,10 +28,6 @@ import org.springframework.security.oauth2.provider.token.ResourceServerTokenSer
 
 public interface OAuth2TokenEntityService extends AuthorizationServerTokenServices, ResourceServerTokenServices {
 	
-	public Set<OAuth2AccessTokenEntity> getAllAccessTokens();
-	
-	public Set<OAuth2RefreshTokenEntity> getAllRefreshTokens();
-	
 	@Override
 	public OAuth2AccessTokenEntity readAccessToken(String accessTokenValue);
 
@@ -64,4 +60,7 @@ public interface OAuth2TokenEntityService extends AuthorizationServerTokenServic
 	
 	public OAuth2RefreshTokenEntity getRefreshTokenById(Long id);
 
+	public Set<OAuth2AccessTokenEntity> getAllAccessTokensForUser(String name);
+
+	public Set<OAuth2RefreshTokenEntity> getAllRefreshTokensForUser(String name);
 }

openid-connect-server/src/main/java/org/mitre/oauth2/repository/impl/JpaOAuth2TokenRepository.java

@@ -51,6 +51,7 @@ public class JpaOAuth2TokenRepository implements OAuth2TokenRepository {
 		return new LinkedHashSet<OAuth2RefreshTokenEntity>(query.getResultList());	
 	}
 
+	
 	@Override
 	public OAuth2AccessTokenEntity getAccessTokenByValue(String accessTokenValue) {
 		TypedQuery<OAuth2AccessTokenEntity> query = manager.createNamedQuery("OAuth2AccessTokenEntity.getByTokenValue", OAuth2AccessTokenEntity.class);

openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java

@@ -72,12 +72,32 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 	@Autowired
 	private TokenEnhancer tokenEnhancer;
 
-	public Set<OAuth2AccessTokenEntity> getAllAccessTokens() {
+	public Set<OAuth2AccessTokenEntity> getAllAccessTokensForUser(String id) {
-		return tokenRepository.getAllAccessTokens();
+		
+		Set<OAuth2AccessTokenEntity> all = tokenRepository.getAllAccessTokens();
+		Set<OAuth2AccessTokenEntity> results = Sets.newLinkedHashSet();
+		
+		for (OAuth2AccessTokenEntity token : all) {
+			if (token.getAuthenticationHolder().getAuthentication().getName().equals(id)) {
+				results.add(token);
+			}
+		}
+		
+		return results;
 	}
 		
-	public Set<OAuth2RefreshTokenEntity> getAllRefreshTokens() {
+	
-		return tokenRepository.getAllRefreshTokens();
+	public Set<OAuth2RefreshTokenEntity> getAllRefreshTokensForUser(String id) {
+		Set<OAuth2RefreshTokenEntity> all = tokenRepository.getAllRefreshTokens();
+		Set<OAuth2RefreshTokenEntity> results = Sets.newLinkedHashSet();
+		
+		for (OAuth2RefreshTokenEntity token : all) {
+			if (token.getAuthenticationHolder().getAuthentication().getName().equals(id)) {
+				results.add(token);
+			}
+		}
+		
+		return results;
 	}
 	
 	public OAuth2AccessTokenEntity getAccessTokenById(Long id) {

openid-connect-server/src/main/java/org/mitre/oauth2/web/AccessTokenAPI.java

@@ -1,5 +1,6 @@
 package org.mitre.oauth2.web;
 
+import java.security.Principal;
 import java.util.Set;
 
 import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
@@ -31,56 +32,32 @@ public class AccessTokenAPI {
 	private static Logger logger = LoggerFactory.getLogger(AccessTokenAPI.class);
 	
 	@RequestMapping(value = "", method = RequestMethod.GET, produces = "application/json")
-	public String getAll(ModelMap m) {
+	public String getAll(ModelMap m, Principal p) {
-
-		Set<OAuth2AccessTokenEntity> allTokens = tokenService.getAllAccessTokens();
 
+		Set<OAuth2AccessTokenEntity> allTokens = tokenService.getAllAccessTokensForUser(p.getName());
 		m.put("entity", allTokens);
-
 		return "jsonEntityView";
 	}
 	
 	@RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = "application/json")
-	public String getById(@PathVariable("id") Long id, ModelMap m) {
+	public String getById(@PathVariable("id") Long id, ModelMap m, Principal p) {
 		
 		OAuth2AccessTokenEntity token = tokenService.getAccessTokenById(id);
 		
-		if (token != null) {
+		 if (token == null) {
-
-			m.put("entity", token);
-
-			return "jsonEntityView";
-		} else {
-
 			logger.error("getToken failed; token not found: " + id);
-
 			m.put("code", HttpStatus.NOT_FOUND);
 			m.put("errorMessage", "The requested token with id " + id + " could not be found.");
 			return "jsonErrorView";
-		}
+		} else if (!token.getAuthenticationHolder().getAuthentication().getName().equals(p.getName())) { 
-	}
+			logger.error("getToken failed; token does not belong to principal " + p.getName());
-	
+			m.put("code", HttpStatus.FORBIDDEN);
-	@PreAuthorize("hasRole('ROLE_ADMIN')")
+			m.put("errorMessage", "You do not have permission to view this token");
-	@RequestMapping(value = "/{id}", method = RequestMethod.DELETE)
+			return "jsonErrorView";
-	public String delete(@PathVariable("id") Long id, ModelMap m) {
-		
-		OAuth2AccessTokenEntity token = tokenService.getAccessTokenById(id);
-		
-		if (token != null) {
-
-			tokenService.revokeAccessToken(token);
-			m.put("code", HttpStatus.OK);
-			return "httpCodeView";
-			
 		} else {
-
+			m.put("entity", token);
-			logger.error("Delete token failed; token not found: " + id);
+			return "jsonEntityView";
-
-			m.put("code", HttpStatus.NOT_FOUND);
-			m.put("errorMessage", "The requested token with id " + id + " could not be found.");
-			return "jsonErrorView";
 		}
-
 	}
 	
 }

openid-connect-server/src/main/java/org/mitre/oauth2/web/RefreshTokenAPI.java

@@ -1,5 +1,6 @@
 package org.mitre.oauth2.web;
 
+import java.security.Principal;
 import java.util.Set;
 
 import org.mitre.oauth2.model.OAuth2RefreshTokenEntity;
@@ -32,9 +33,9 @@ public class RefreshTokenAPI {
 	private static Logger logger = LoggerFactory.getLogger(RefreshTokenAPI.class);
 	
 	@RequestMapping(value = "", method = RequestMethod.GET, produces = "application/json")
-	public String getAll(ModelMap m) {
+	public String getAll(ModelMap m, Principal p) {
 
-		Set<OAuth2RefreshTokenEntity> allTokens = tokenService.getAllRefreshTokens();
+		Set<OAuth2RefreshTokenEntity> allTokens = tokenService.getAllRefreshTokensForUser(p.getName());
 
 		m.put("entity", allTokens);
 
@@ -42,46 +43,24 @@ public class RefreshTokenAPI {
 	}
 	
 	@RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = "application/json")
-	public String getById(@PathVariable("id") Long id, ModelMap m) {
+	public String getById(@PathVariable("id") Long id, ModelMap m, Principal p) {
 		
 		OAuth2RefreshTokenEntity token = tokenService.getRefreshTokenById(id);
 		
-		if (token != null) {
+		 if (token == null) {
-
-			m.put("entity", token);
-
-			return "jsonEntityView";
-		} else {
-
 			logger.error("getToken failed; token not found: " + id);
-
 			m.put("code", HttpStatus.NOT_FOUND);
 			m.put("errorMessage", "The requested token with id " + id + " could not be found.");
 			return "jsonErrorView";
-		}
+		} else if (!token.getAuthenticationHolder().getAuthentication().getName().equals(p.getName())) { 
-	}
+			logger.error("getToken failed; token does not belong to principal " + p.getName());
-	
+			m.put("code", HttpStatus.FORBIDDEN);
-	@PreAuthorize("hasRole('ROLE_ADMIN')")
+			m.put("errorMessage", "You do not have permission to view this token");
-	@RequestMapping(value = "/{id}", method = RequestMethod.DELETE)
+			return "jsonErrorView";
-	public String delete(@PathVariable("id") Long id, ModelMap m) {
-		
-		OAuth2RefreshTokenEntity token = tokenService.getRefreshTokenById(id);
-		
-		if (token != null) {
-
-			tokenService.revokeRefreshToken(token);
-			m.put("code", HttpStatus.OK);
-			return "httpCodeView";
-			
 		} else {
-
+			m.put("entity", token);
-			logger.error("Delete token failed; token not found: " + id);
+			return "jsonEntityView";
-
-			m.put("code", HttpStatus.NOT_FOUND);
-			m.put("errorMessage", "The requested token with id " + id + " could not be found.");
-			return "jsonErrorView";
 		}
-
 	}
 	
 }