downscope resulting token based on policy

2015-06-29 20:56:05 -04:00 · 2015-06-29 20:56:05 -04:00 · a8a6e7bf31
parent 7909e3e9ce
commit a8a6e7bf31
4 changed files with 21 additions and 19 deletions
--- a/openid-connect-common/src/main/java/org/mitre/uma/service/UmaTokenService.java
+++ b/openid-connect-common/src/main/java/org/mitre/uma/service/UmaTokenService.java
@ -19,6 +19,7 @@ package org.mitre.uma.service;

 import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
 import org.mitre.uma.model.PermissionTicket;
+import org.mitre.uma.model.Policy;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;

 /**
@ -32,10 +33,7 @@ public interface UmaTokenService {
 	/**
 	 * Create the RPT from the given authentication and ticket. 
 	 * 
-	 * @param o2auth
-	 * @param ticket
-	 * @return
 	 */
-	public OAuth2AccessTokenEntity createRequestingPartyToken(OAuth2Authentication o2auth, PermissionTicket ticket);
+	public OAuth2AccessTokenEntity createRequestingPartyToken(OAuth2Authentication o2auth, PermissionTicket ticket, Policy policy);

 }
--- a/uma-server/src/main/java/org/mitre/uma/service/impl/DefaultUmaTokenService.java
+++ b/uma-server/src/main/java/org/mitre/uma/service/impl/DefaultUmaTokenService.java
@ -18,6 +18,8 @@
 package org.mitre.uma.service.impl;

 import java.util.Date;
+import java.util.HashSet;
+import java.util.Set;
 import java.util.UUID;

 import org.mitre.jwt.signer.service.JWTSigningAndValidationService;
@ -28,7 +30,9 @@ import org.mitre.oauth2.repository.AuthenticationHolderRepository;
 import org.mitre.oauth2.service.ClientDetailsEntityService;
 import org.mitre.oauth2.service.OAuth2TokenEntityService;
 import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
+import org.mitre.uma.model.Permission;
 import org.mitre.uma.model.PermissionTicket;
+import org.mitre.uma.model.Policy;
 import org.mitre.uma.service.UmaTokenService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
@ -65,7 +69,7 @@ public class DefaultUmaTokenService implements UmaTokenService {

 	
 	@Override
-	public OAuth2AccessTokenEntity createRequestingPartyToken(OAuth2Authentication o2auth, PermissionTicket ticket) {
+	public OAuth2AccessTokenEntity createRequestingPartyToken(OAuth2Authentication o2auth, PermissionTicket ticket, Policy policy) {
 		OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity();
 		AuthenticationHolderEntity authHolder = new AuthenticationHolderEntity();
 		authHolder.setAuthentication(o2auth);
@ -76,8 +80,14 @@ public class DefaultUmaTokenService implements UmaTokenService {
 		ClientDetailsEntity client = clientService.loadClientByClientId(o2auth.getOAuth2Request().getClientId());
 		token.setClient(client);
 		
-		token.setPermissions(Sets.newHashSet(ticket.getPermission()));
+		Set<String> ticketScopes = ticket.getPermission().getScopes();
+		Set<String> policyScopes = policy.getScopes();
 		
+		Permission perm = new Permission();
+		perm.setResourceSet(ticket.getPermission().getResourceSet());
+		perm.setScopes(new HashSet<>(Sets.intersection(ticketScopes, policyScopes)));
+		
+		token.setPermissions(Sets.newHashSet(perm));
 		
 		JWTClaimsSet claims = new JWTClaimsSet();
 		
--- a/uma-server/src/main/java/org/mitre/uma/service/impl/MatchAllClaimsOnAnyPolicy.java
+++ b/uma-server/src/main/java/org/mitre/uma/service/impl/MatchAllClaimsOnAnyPolicy.java
@ -45,19 +45,13 @@ public class MatchAllClaimsOnAnyPolicy implements ClaimsProcessingService {
 	public ClaimProcessingResult claimsAreSatisfied(ResourceSet rs, PermissionTicket ticket) {
 		Collection<Claim> allUnmatched = new HashSet<>();
 		for (Policy policy : rs.getPolicies()) {
-			if (policy.getScopes().equals(ticket.getPermission().getScopes())) {
-			
-				Collection<Claim> unmatched = checkIndividualClaims(policy.getClaimsRequired(), ticket.getClaimsSupplied());
-				if (unmatched.isEmpty()) {
-					// we found something that's satisfied the claims, let's go with it!
-					return new ClaimProcessingResult(policy);
-				} else {
-					// otherwise add it to the stack to send back
-					allUnmatched.addAll(unmatched);
-				}
+			Collection<Claim> unmatched = checkIndividualClaims(policy.getClaimsRequired(), ticket.getClaimsSupplied());
+			if (unmatched.isEmpty()) {
+				// we found something that's satisfied the claims, let's go with it!
+				return new ClaimProcessingResult(policy);
 			} else {
-				// scopes didn't match, skip it
-				allUnmatched.addAll(policy.getClaimsRequired());
+				// otherwise add it to the stack to send back
+				allUnmatched.addAll(unmatched);
 			}
 		}
 		
--- a/uma-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java
+++ b/uma-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java
@ -130,7 +130,7 @@ public class AuthorizationRequestEndpoint {
 							// we need to downscope this based on the required set that was matched if it was matched
 							OAuth2Authentication o2auth = (OAuth2Authentication) auth;
 							
-							OAuth2AccessTokenEntity token = umaTokenService.createRequestingPartyToken(o2auth, ticket);
+							OAuth2AccessTokenEntity token = umaTokenService.createRequestingPartyToken(o2auth, ticket, result.getMatched());

 							// if we have an inbound RPT, throw it out because we're replacing it
 							if (incomingRpt != null) {