github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

downscope resulting token based on policy

pull/820/merge
Justin Richer 2015-06-29 20:56:05 -04:00
parent 7909e3e9ce
commit a8a6e7bf31
4 changed files with 21 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
openid-connect-common/src/main/java/org/mitre/uma/service/UmaTokenService.java
View File

@ -19,6 +19,7 @@ package org.mitre.uma.service;
import org.mitre.oauth2.model.OAuth2AccessTokenEntity; import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
import org.mitre.uma.model.PermissionTicket; import org.mitre.uma.model.PermissionTicket;
import org.mitre.uma.model.Policy;
import org.springframework.security.oauth2.provider.OAuth2Authentication; import org.springframework.security.oauth2.provider.OAuth2Authentication;
/** /**
@ -32,10 +33,7 @@ public interface UmaTokenService {
/** /**
* Create the RPT from the given authentication and ticket. * Create the RPT from the given authentication and ticket.
* *
* @param o2auth
* @param ticket
* @return
*/ */
public OAuth2AccessTokenEntity createRequestingPartyToken(OAuth2Authentication o2auth, PermissionTicket ticket); public OAuth2AccessTokenEntity createRequestingPartyToken(OAuth2Authentication o2auth, PermissionTicket ticket, Policy policy);
} }

14
uma-server/src/main/java/org/mitre/uma/service/impl/DefaultUmaTokenService.java
View File

@ -18,6 +18,8 @@
package org.mitre.uma.service.impl; package org.mitre.uma.service.impl;
import java.util.Date; import java.util.Date;
import java.util.HashSet;
import java.util.Set;
import java.util.UUID; import java.util.UUID;
import org.mitre.jwt.signer.service.JWTSigningAndValidationService; import org.mitre.jwt.signer.service.JWTSigningAndValidationService;
@ -28,7 +30,9 @@ import org.mitre.oauth2.repository.AuthenticationHolderRepository;
import org.mitre.oauth2.service.ClientDetailsEntityService; import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.mitre.oauth2.service.OAuth2TokenEntityService; import org.mitre.oauth2.service.OAuth2TokenEntityService;
import org.mitre.openid.connect.config.ConfigurationPropertiesBean; import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
import org.mitre.uma.model.Permission;
import org.mitre.uma.model.PermissionTicket; import org.mitre.uma.model.PermissionTicket;
import org.mitre.uma.model.Policy;
import org.mitre.uma.service.UmaTokenService; import org.mitre.uma.service.UmaTokenService;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.oauth2.provider.OAuth2Authentication; import org.springframework.security.oauth2.provider.OAuth2Authentication;
@ -65,7 +69,7 @@ public class DefaultUmaTokenService implements UmaTokenService {
@Override @Override
public OAuth2AccessTokenEntity createRequestingPartyToken(OAuth2Authentication o2auth, PermissionTicket ticket) { public OAuth2AccessTokenEntity createRequestingPartyToken(OAuth2Authentication o2auth, PermissionTicket ticket, Policy policy) {
OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity(); OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity();
AuthenticationHolderEntity authHolder = new AuthenticationHolderEntity(); AuthenticationHolderEntity authHolder = new AuthenticationHolderEntity();
authHolder.setAuthentication(o2auth); authHolder.setAuthentication(o2auth);
@ -76,8 +80,14 @@ public class DefaultUmaTokenService implements UmaTokenService {
ClientDetailsEntity client = clientService.loadClientByClientId(o2auth.getOAuth2Request().getClientId()); ClientDetailsEntity client = clientService.loadClientByClientId(o2auth.getOAuth2Request().getClientId());
token.setClient(client); token.setClient(client);
token.setPermissions(Sets.newHashSet(ticket.getPermission())); Set<String> ticketScopes = ticket.getPermission().getScopes();
Set<String> policyScopes = policy.getScopes();
Permission perm = new Permission();
perm.setResourceSet(ticket.getPermission().getResourceSet());
perm.setScopes(new HashSet<>(Sets.intersection(ticketScopes, policyScopes)));
token.setPermissions(Sets.newHashSet(perm));
JWTClaimsSet claims = new JWTClaimsSet(); JWTClaimsSet claims = new JWTClaimsSet();

18
uma-server/src/main/java/org/mitre/uma/service/impl/MatchAllClaimsOnAnyPolicy.java
View File

@ -45,19 +45,13 @@ public class MatchAllClaimsOnAnyPolicy implements ClaimsProcessingService {
public ClaimProcessingResult claimsAreSatisfied(ResourceSet rs, PermissionTicket ticket) { public ClaimProcessingResult claimsAreSatisfied(ResourceSet rs, PermissionTicket ticket) {
Collection<Claim> allUnmatched = new HashSet<>(); Collection<Claim> allUnmatched = new HashSet<>();
for (Policy policy : rs.getPolicies()) { for (Policy policy : rs.getPolicies()) {
if (policy.getScopes().equals(ticket.getPermission().getScopes())) { Collection<Claim> unmatched = checkIndividualClaims(policy.getClaimsRequired(), ticket.getClaimsSupplied());
if (unmatched.isEmpty()) {
Collection<Claim> unmatched = checkIndividualClaims(policy.getClaimsRequired(), ticket.getClaimsSupplied()); // we found something that's satisfied the claims, let's go with it!
if (unmatched.isEmpty()) { return new ClaimProcessingResult(policy);
// we found something that's satisfied the claims, let's go with it!
return new ClaimProcessingResult(policy);
} else {
// otherwise add it to the stack to send back
allUnmatched.addAll(unmatched);
}
} else { } else {
// scopes didn't match, skip it // otherwise add it to the stack to send back
allUnmatched.addAll(policy.getClaimsRequired()); allUnmatched.addAll(unmatched);
} }
} }

2
uma-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java
View File

@ -130,7 +130,7 @@ public class AuthorizationRequestEndpoint {
// we need to downscope this based on the required set that was matched if it was matched // we need to downscope this based on the required set that was matched if it was matched
OAuth2Authentication o2auth = (OAuth2Authentication) auth; OAuth2Authentication o2auth = (OAuth2Authentication) auth;
OAuth2AccessTokenEntity token = umaTokenService.createRequestingPartyToken(o2auth, ticket); OAuth2AccessTokenEntity token = umaTokenService.createRequestingPartyToken(o2auth, ticket, result.getMatched());
// if we have an inbound RPT, throw it out because we're replacing it // if we have an inbound RPT, throw it out because we're replacing it
if (incomingRpt != null) { if (incomingRpt != null) {