updated to SECOAUTH's horrible new object-breaking authorization request paradigm.

Bonus: it works!

openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java

@@ -29,6 +29,7 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.provider.AuthorizationRequest;
 import org.springframework.security.oauth2.provider.ClientDetails;
 import org.springframework.security.oauth2.provider.ClientDetailsService;
+import org.springframework.security.oauth2.provider.DefaultAuthorizationRequest;
 import org.springframework.security.oauth2.provider.approval.UserApprovalHandler;
 
 import com.google.common.base.Splitter;
@@ -52,13 +53,13 @@ import com.google.common.collect.Sets;
 public class TofuUserApprovalHandler implements UserApprovalHandler {
 	
 	@Autowired
-	ApprovedSiteService approvedSiteService;
+	private ApprovedSiteService approvedSiteService;
 	
 	@Autowired
-	WhitelistedSiteService whitelistedSiteService;
+	private WhitelistedSiteService whitelistedSiteService;
 	
 	@Autowired
-	ClientDetailsService clientDetailsService;
+	private ClientDetailsService clientDetailsService;
 	
 	
 	/**
@@ -75,13 +76,52 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 	@Override
 	public boolean isApproved(AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
 		
+		// if this request is already approved, pass that info through
+		// (this flag may be set by updateBeforeApproval, which can also do funny things with scopes, etc)
+		if (authorizationRequest.isApproved()) {
+			return true;
+		} else {
+			// if not, check to see if the user has approved it
+			
+			// TODO: make parameter name configurable?
+			boolean approved = Boolean.parseBoolean(authorizationRequest.getApprovalParameters().get("user_oauth_approval"));
+	
+			return userAuthentication.isAuthenticated() && approved;
+		}
+
+	}
+	
+	/**
+	 * Check whether the requested scope set is a proper subset of the allowed scopes.
+	 * 
+	 * @param requestedScopes
+	 * @param allowedScopes
+	 * @return
+	 */
+	private boolean scopesMatch(Set<String> requestedScopes, Set<String> allowedScopes) {
+		
+		for (String scope : requestedScopes) {
+			
+			if (!allowedScopes.contains(scope)) {
+				return false; //throw new InvalidScopeException("Invalid scope: " + scope, allowedScopes);
+			}
+		}
+		
+		return true;
+	}
+
+	/**
+	 * Pre-process the authorization request during the approval stage, check against whitelist, approved sites, and stuff.
+	 */
+	@Override
+    public AuthorizationRequest updateBeforeApproval(AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
 		//First, check database to see if the user identified by the userAuthentication has stored an approval decision
 		
 		//getName may not be filled in? TODO: investigate
 		String userId = userAuthentication.getName();
 		String clientId = authorizationRequest.getClientId();
 		ClientDetails client = clientDetailsService.loadClientByClientId(clientId);
-		
+		//TODO: ar.scope
 		String scopes = authorizationRequest.getAuthorizationParameters().get("scope");
 		Set<String> authRequestScopes = Sets.newHashSet(Splitter.on(" ").split(scopes));
 		
@@ -94,8 +134,12 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 				//We have a match; update the access date on the AP entry and return true.
 				ap.setAccessDate(new Date());
 				approvedSiteService.save(ap);
+
+				// TODO: WHY DAVE WHY
+				DefaultAuthorizationRequest ar = new DefaultAuthorizationRequest(authorizationRequest);
+				ar.setApproved(true);
 				
-				return true;
+				return ar;
 			}
         }
 		
@@ -105,21 +149,29 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 			//Create an approved site
 			approvedSiteService.createApprovedSite(clientId, userId, null, ws.getAllowedScopes(), ws);
 			
-			return true;
+			// TODO: WHY DAVE WHY
+			DefaultAuthorizationRequest ar = new DefaultAuthorizationRequest(authorizationRequest);
+			ar.setApproved(true);
+			
+			return ar;
 		}
 		
+		// This must be re-parsed here because SECOAUTH forces us to call things in a strange order
 		boolean approved = Boolean.parseBoolean(authorizationRequest.getApprovalParameters().get("user_oauth_approval"));
 		
 		if (approved && !authorizationRequest.getApprovalParameters().isEmpty()) {
+
+			// TODO: Get SECOAUTH to stop breaking polymorphism and start using real objects, SRSLY
+			DefaultAuthorizationRequest ar = new DefaultAuthorizationRequest(authorizationRequest);
 			
 			//Only store an ApprovedSite if the user has checked "remember this decision":
-			if (authorizationRequest.getApprovalParameters().get("remember") != null) {
+			if (ar.getApprovalParameters().get("remember") != null) {
 				
 				//TODO: Remember may eventually have an option to remember for a specific amount
 				//of time; this would set the ApprovedSite.timeout.
 				
 				Set<String> allowedScopes = Sets.newHashSet();
-				Map<String,String> approvalParams = authorizationRequest.getApprovalParameters();
+				Map<String,String> approvalParams = ar.getApprovalParameters();
 				
 				Set<String> keys = approvalParams.keySet();
 				
@@ -137,45 +189,19 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 						}
 					}
 				}
-				
+
-				//FIXME: inject the final allowedScopes set into the AuthorizationRequest. The requester may have
+				// inject the user-allowed scopes into the auth request 
-				//asked for many scopes and the user may have denied some of them.
+				ar.setScope(allowedScopes);
 				
 				approvedSiteService.createApprovedSite(clientId, userId, null, allowedScopes, null);
 			}
 			
-			return true;
+			// TODO: should we set approved here? It gets called later via the isApproved method in this class...
-		}
-
-		return false;
-	}
-	
-	/**
-	 * Check whether the requested scope set is a proper subset of the allowed scopes.
-	 * 
-	 * @param requestedScopes
-	 * @param allowedScopes
-	 * @return
-	 */
-	private boolean scopesMatch(Set<String> requestedScopes, Set<String> allowedScopes) {
-		
-		for (String scope : requestedScopes) {
 			
-			if (!allowedScopes.contains(scope)) {
+			return ar;
-				return false; //throw new InvalidScopeException("Invalid scope: " + scope, allowedScopes);
-			}
 		}
-		
-		return true;
-	}
 
-	//
+		return authorizationRequest;
-	// FIXME
-	// 
-    @Override
-    public AuthorizationRequest updateBeforeApproval(AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
-	    // TODO Auto-generated method stub
-	    return null;
     }
 	
 }