|
|
|
|
@ -29,6 +29,7 @@ import org.springframework.security.core.Authentication;
|
|
|
|
|
import org.springframework.security.oauth2.provider.AuthorizationRequest;
|
|
|
|
|
import org.springframework.security.oauth2.provider.ClientDetails;
|
|
|
|
|
import org.springframework.security.oauth2.provider.ClientDetailsService;
|
|
|
|
|
import org.springframework.security.oauth2.provider.DefaultAuthorizationRequest;
|
|
|
|
|
import org.springframework.security.oauth2.provider.approval.UserApprovalHandler;
|
|
|
|
|
|
|
|
|
|
import com.google.common.base.Splitter;
|
|
|
|
|
@ -52,13 +53,13 @@ import com.google.common.collect.Sets;
|
|
|
|
|
public class TofuUserApprovalHandler implements UserApprovalHandler {
|
|
|
|
|
|
|
|
|
|
@Autowired
|
|
|
|
|
ApprovedSiteService approvedSiteService;
|
|
|
|
|
private ApprovedSiteService approvedSiteService;
|
|
|
|
|
|
|
|
|
|
@Autowired
|
|
|
|
|
WhitelistedSiteService whitelistedSiteService;
|
|
|
|
|
private WhitelistedSiteService whitelistedSiteService;
|
|
|
|
|
|
|
|
|
|
@Autowired
|
|
|
|
|
ClientDetailsService clientDetailsService;
|
|
|
|
|
private ClientDetailsService clientDetailsService;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
@ -75,13 +76,52 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
|
|
|
|
|
@Override
|
|
|
|
|
public boolean isApproved(AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
|
|
|
|
|
|
|
|
|
|
// if this request is already approved, pass that info through
|
|
|
|
|
// (this flag may be set by updateBeforeApproval, which can also do funny things with scopes, etc)
|
|
|
|
|
if (authorizationRequest.isApproved()) {
|
|
|
|
|
return true;
|
|
|
|
|
} else {
|
|
|
|
|
// if not, check to see if the user has approved it
|
|
|
|
|
|
|
|
|
|
// TODO: make parameter name configurable?
|
|
|
|
|
boolean approved = Boolean.parseBoolean(authorizationRequest.getApprovalParameters().get("user_oauth_approval"));
|
|
|
|
|
|
|
|
|
|
return userAuthentication.isAuthenticated() && approved;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Check whether the requested scope set is a proper subset of the allowed scopes.
|
|
|
|
|
*
|
|
|
|
|
* @param requestedScopes
|
|
|
|
|
* @param allowedScopes
|
|
|
|
|
* @return
|
|
|
|
|
*/
|
|
|
|
|
private boolean scopesMatch(Set<String> requestedScopes, Set<String> allowedScopes) {
|
|
|
|
|
|
|
|
|
|
for (String scope : requestedScopes) {
|
|
|
|
|
|
|
|
|
|
if (!allowedScopes.contains(scope)) {
|
|
|
|
|
return false; //throw new InvalidScopeException("Invalid scope: " + scope, allowedScopes);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Pre-process the authorization request during the approval stage, check against whitelist, approved sites, and stuff.
|
|
|
|
|
*/
|
|
|
|
|
@Override
|
|
|
|
|
public AuthorizationRequest updateBeforeApproval(AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
|
|
|
|
|
//First, check database to see if the user identified by the userAuthentication has stored an approval decision
|
|
|
|
|
|
|
|
|
|
//getName may not be filled in? TODO: investigate
|
|
|
|
|
String userId = userAuthentication.getName();
|
|
|
|
|
String clientId = authorizationRequest.getClientId();
|
|
|
|
|
ClientDetails client = clientDetailsService.loadClientByClientId(clientId);
|
|
|
|
|
|
|
|
|
|
//TODO: ar.scope
|
|
|
|
|
String scopes = authorizationRequest.getAuthorizationParameters().get("scope");
|
|
|
|
|
Set<String> authRequestScopes = Sets.newHashSet(Splitter.on(" ").split(scopes));
|
|
|
|
|
|
|
|
|
|
@ -94,8 +134,12 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
|
|
|
|
|
//We have a match; update the access date on the AP entry and return true.
|
|
|
|
|
ap.setAccessDate(new Date());
|
|
|
|
|
approvedSiteService.save(ap);
|
|
|
|
|
|
|
|
|
|
// TODO: WHY DAVE WHY
|
|
|
|
|
DefaultAuthorizationRequest ar = new DefaultAuthorizationRequest(authorizationRequest);
|
|
|
|
|
ar.setApproved(true);
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
return ar;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@ -105,21 +149,29 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
|
|
|
|
|
//Create an approved site
|
|
|
|
|
approvedSiteService.createApprovedSite(clientId, userId, null, ws.getAllowedScopes(), ws);
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
// TODO: WHY DAVE WHY
|
|
|
|
|
DefaultAuthorizationRequest ar = new DefaultAuthorizationRequest(authorizationRequest);
|
|
|
|
|
ar.setApproved(true);
|
|
|
|
|
|
|
|
|
|
return ar;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// This must be re-parsed here because SECOAUTH forces us to call things in a strange order
|
|
|
|
|
boolean approved = Boolean.parseBoolean(authorizationRequest.getApprovalParameters().get("user_oauth_approval"));
|
|
|
|
|
|
|
|
|
|
if (approved && !authorizationRequest.getApprovalParameters().isEmpty()) {
|
|
|
|
|
|
|
|
|
|
// TODO: Get SECOAUTH to stop breaking polymorphism and start using real objects, SRSLY
|
|
|
|
|
DefaultAuthorizationRequest ar = new DefaultAuthorizationRequest(authorizationRequest);
|
|
|
|
|
|
|
|
|
|
//Only store an ApprovedSite if the user has checked "remember this decision":
|
|
|
|
|
if (authorizationRequest.getApprovalParameters().get("remember") != null) {
|
|
|
|
|
if (ar.getApprovalParameters().get("remember") != null) {
|
|
|
|
|
|
|
|
|
|
//TODO: Remember may eventually have an option to remember for a specific amount
|
|
|
|
|
//of time; this would set the ApprovedSite.timeout.
|
|
|
|
|
|
|
|
|
|
Set<String> allowedScopes = Sets.newHashSet();
|
|
|
|
|
Map<String,String> approvalParams = authorizationRequest.getApprovalParameters();
|
|
|
|
|
Map<String,String> approvalParams = ar.getApprovalParameters();
|
|
|
|
|
|
|
|
|
|
Set<String> keys = approvalParams.keySet();
|
|
|
|
|
|
|
|
|
|
@ -137,45 +189,19 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//FIXME: inject the final allowedScopes set into the AuthorizationRequest. The requester may have
|
|
|
|
|
//asked for many scopes and the user may have denied some of them.
|
|
|
|
|
|
|
|
|
|
// inject the user-allowed scopes into the auth request
|
|
|
|
|
ar.setScope(allowedScopes);
|
|
|
|
|
|
|
|
|
|
approvedSiteService.createApprovedSite(clientId, userId, null, allowedScopes, null);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Check whether the requested scope set is a proper subset of the allowed scopes.
|
|
|
|
|
*
|
|
|
|
|
* @param requestedScopes
|
|
|
|
|
* @param allowedScopes
|
|
|
|
|
* @return
|
|
|
|
|
*/
|
|
|
|
|
private boolean scopesMatch(Set<String> requestedScopes, Set<String> allowedScopes) {
|
|
|
|
|
|
|
|
|
|
for (String scope : requestedScopes) {
|
|
|
|
|
// TODO: should we set approved here? It gets called later via the isApproved method in this class...
|
|
|
|
|
|
|
|
|
|
if (!allowedScopes.contains(scope)) {
|
|
|
|
|
return false; //throw new InvalidScopeException("Invalid scope: " + scope, allowedScopes);
|
|
|
|
|
}
|
|
|
|
|
return ar;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// FIXME
|
|
|
|
|
//
|
|
|
|
|
@Override
|
|
|
|
|
public AuthorizationRequest updateBeforeApproval(AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
|
|
|
|
|
// TODO Auto-generated method stub
|
|
|
|
|
return null;
|
|
|
|
|
return authorizationRequest;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
Justin Richer
12 years ago