made claims processor take in policy set and ticket directly
Justin Richer
parent
de9f69e461
commit
b0935086c2
|
|
@ -17,11 +17,9 @@
|
|||
|
||||
package org.mitre.uma.service;
|
||||
|
||||
import java.util.Collection;
|
||||
|
||||
import org.mitre.uma.model.Claim;
|
||||
import org.mitre.uma.model.ClaimProcessingResult;
|
||||
import org.mitre.uma.model.Policy;
|
||||
import org.mitre.uma.model.PermissionTicket;
|
||||
import org.mitre.uma.model.ResourceSet;
|
||||
|
||||
/**
|
||||
*
|
||||
|
|
@ -38,10 +36,10 @@ public interface ClaimsProcessingService {
|
|||
* sufficient to fulfill the requirements given by the claims that
|
||||
* are required.
|
||||
*
|
||||
* @param claimsRequired the required claims to check against
|
||||
* @param claimsSupplied the supplied claims to test
|
||||
* @param rs the required claims to check against
|
||||
* @param ticket the supplied claims to test
|
||||
* @return the result of the claims processing action
|
||||
*/
|
||||
public ClaimProcessingResult claimsAreSatisfied(Collection<Policy> claimsRequired, Collection<Claim> claimsSupplied);
|
||||
public ClaimProcessingResult claimsAreSatisfied(ResourceSet rs, PermissionTicket ticket);
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -22,7 +22,9 @@ import java.util.HashSet;
|
|||
|
||||
import org.mitre.uma.model.Claim;
|
||||
import org.mitre.uma.model.ClaimProcessingResult;
|
||||
import org.mitre.uma.model.PermissionTicket;
|
||||
import org.mitre.uma.model.Policy;
|
||||
import org.mitre.uma.model.ResourceSet;
|
||||
import org.mitre.uma.service.ClaimsProcessingService;
|
||||
import org.springframework.stereotype.Service;
|
||||
|
||||
|
|
@ -40,16 +42,22 @@ public class MatchAllClaimsOnAnyPolicy implements ClaimsProcessingService {
|
|||
* @see org.mitre.uma.service.ClaimsProcessingService#claimsAreSatisfied(java.util.Collection, java.util.Collection)
|
||||
*/
|
||||
@Override
|
||||
public ClaimProcessingResult claimsAreSatisfied(Collection<Policy> claimsRequired, Collection<Claim> claimsSupplied) {
|
||||
public ClaimProcessingResult claimsAreSatisfied(ResourceSet rs, PermissionTicket ticket) {
|
||||
Collection<Claim> allUnmatched = new HashSet<>();
|
||||
for (Policy policy : claimsRequired) {
|
||||
Collection<Claim> unmatched = checkIndividualClaims(policy.getClaimsRequired(), claimsSupplied);
|
||||
if (unmatched.isEmpty()) {
|
||||
// we found something that's satisfied the claims, let's go with it!
|
||||
return new ClaimProcessingResult(policy);
|
||||
for (Policy policy : rs.getPolicies()) {
|
||||
if (policy.getScopes().equals(ticket.getPermission().getScopes())) {
|
||||
|
||||
Collection<Claim> unmatched = checkIndividualClaims(policy.getClaimsRequired(), ticket.getClaimsSupplied());
|
||||
if (unmatched.isEmpty()) {
|
||||
// we found something that's satisfied the claims, let's go with it!
|
||||
return new ClaimProcessingResult(policy);
|
||||
} else {
|
||||
// otherwise add it to the stack to send back
|
||||
allUnmatched.addAll(unmatched);
|
||||
}
|
||||
} else {
|
||||
// otherwise add it to the stack to send back
|
||||
allUnmatched.addAll(unmatched);
|
||||
// scopes didn't match, skip it
|
||||
allUnmatched.addAll(policy.getClaimsRequired());
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -17,23 +17,12 @@
|
|||
|
||||
package org.mitre.uma.web;
|
||||
|
||||
import java.util.Collection;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.Map;
|
||||
import java.util.UUID;
|
||||
|
||||
import org.mitre.jwt.signer.service.JWTSigningAndValidationService;
|
||||
import org.mitre.oauth2.model.AuthenticationHolderEntity;
|
||||
import org.mitre.oauth2.model.ClientDetailsEntity;
|
||||
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
|
||||
import org.mitre.oauth2.repository.AuthenticationHolderRepository;
|
||||
import org.mitre.oauth2.repository.OAuth2TokenRepository;
|
||||
import org.mitre.oauth2.service.ClientDetailsEntityService;
|
||||
import org.mitre.oauth2.service.OAuth2TokenEntityService;
|
||||
import org.mitre.oauth2.service.SystemScopeService;
|
||||
import org.mitre.oauth2.web.AuthenticationUtilities;
|
||||
import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
|
||||
import org.mitre.openid.connect.service.OIDCTokenService;
|
||||
import org.mitre.openid.connect.view.HttpCodeView;
|
||||
import org.mitre.openid.connect.view.JsonEntityView;
|
||||
|
|
@ -49,31 +38,21 @@ import org.slf4j.Logger;
|
|||
import org.slf4j.LoggerFactory;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.http.ResponseEntity;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
|
||||
import org.springframework.security.oauth2.provider.OAuth2Authentication;
|
||||
import org.springframework.security.oauth2.provider.error.WebResponseExceptionTranslator;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.ui.Model;
|
||||
import org.springframework.util.MimeTypeUtils;
|
||||
import org.springframework.web.bind.annotation.ExceptionHandler;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
|
||||
import com.google.common.collect.ImmutableMap;
|
||||
import com.google.common.collect.Lists;
|
||||
import com.google.common.collect.Sets;
|
||||
import com.google.gson.JsonArray;
|
||||
import com.google.gson.JsonElement;
|
||||
import com.google.gson.JsonObject;
|
||||
import com.google.gson.JsonParser;
|
||||
import com.google.gson.JsonPrimitive;
|
||||
import com.nimbusds.jose.JWSAlgorithm;
|
||||
import com.nimbusds.jose.JWSHeader;
|
||||
import com.nimbusds.jwt.JWTClaimsSet;
|
||||
import com.nimbusds.jwt.SignedJWT;
|
||||
|
||||
/**
|
||||
* @author jricher
|
||||
|
|
@ -142,13 +121,13 @@ public class AuthorizationRequestEndpoint {
|
|||
} else {
|
||||
// claims weren't empty or missing, we need to check against what we have
|
||||
|
||||
ClaimProcessingResult result = claimsProcessingService.claimsAreSatisfied(rs.getPolicies(), ticket.getClaimsSupplied());
|
||||
ClaimProcessingResult result = claimsProcessingService.claimsAreSatisfied(rs, ticket);
|
||||
|
||||
// we need to downscope this based on the required set that was matched if it was matched
|
||||
|
||||
if (result.isSatisfied()) {
|
||||
// the service found what it was looking for, issue a token
|
||||
|
||||
// we need to downscope this based on the required set that was matched if it was matched
|
||||
OAuth2Authentication o2auth = (OAuth2Authentication) auth;
|
||||
|
||||
OAuth2AccessTokenEntity token = umaTokenService.createRequestingPartyToken(o2auth, ticket);
|
||||
|
|
|
|||
Loading…
Reference in New Issue