From b0935086c276ef99c65df94ca36ce6c855a299c1 Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Mon, 29 Jun 2015 12:54:23 -0400
Subject: [PATCH] made claims processor take in policy set and ticket directly

---
 .../uma/service/ClaimsProcessingService.java  | 12 ++++-----
 .../impl/MatchAllClaimsOnAnyPolicy.java       | 24 ++++++++++++------
 .../uma/web/AuthorizationRequestEndpoint.java | 25 ++-----------------
 3 files changed, 23 insertions(+), 38 deletions(-)

diff --git a/openid-connect-common/src/main/java/org/mitre/uma/service/ClaimsProcessingService.java b/openid-connect-common/src/main/java/org/mitre/uma/service/ClaimsProcessingService.java
index a0688a43f..1d05b8c7e 100644
--- a/openid-connect-common/src/main/java/org/mitre/uma/service/ClaimsProcessingService.java
+++ b/openid-connect-common/src/main/java/org/mitre/uma/service/ClaimsProcessingService.java
@@ -17,11 +17,9 @@
 
 package org.mitre.uma.service;
 
-import java.util.Collection;
-
-import org.mitre.uma.model.Claim;
 import org.mitre.uma.model.ClaimProcessingResult;
-import org.mitre.uma.model.Policy;
+import org.mitre.uma.model.PermissionTicket;
+import org.mitre.uma.model.ResourceSet;
 
 /**
  * 
@@ -38,10 +36,10 @@ public interface ClaimsProcessingService {
 	 * sufficient to fulfill the requirements given by the claims that
 	 * are required.
 	 * 
-	 * @param claimsRequired the required claims to check against
-	 * @param claimsSupplied the supplied claims to test
+	 * @param rs the required claims to check against
+	 * @param ticket the supplied claims to test
 	 * @return the result of the claims processing action
 	 */
-	public ClaimProcessingResult claimsAreSatisfied(Collection<Policy> claimsRequired, Collection<Claim> claimsSupplied);
+	public ClaimProcessingResult claimsAreSatisfied(ResourceSet rs, PermissionTicket ticket);
 
 }
diff --git a/uma-server/src/main/java/org/mitre/uma/service/impl/MatchAllClaimsOnAnyPolicy.java b/uma-server/src/main/java/org/mitre/uma/service/impl/MatchAllClaimsOnAnyPolicy.java
index 99f1403da..f236bd794 100644
--- a/uma-server/src/main/java/org/mitre/uma/service/impl/MatchAllClaimsOnAnyPolicy.java
+++ b/uma-server/src/main/java/org/mitre/uma/service/impl/MatchAllClaimsOnAnyPolicy.java
@@ -22,7 +22,9 @@ import java.util.HashSet;
 
 import org.mitre.uma.model.Claim;
 import org.mitre.uma.model.ClaimProcessingResult;
+import org.mitre.uma.model.PermissionTicket;
 import org.mitre.uma.model.Policy;
+import org.mitre.uma.model.ResourceSet;
 import org.mitre.uma.service.ClaimsProcessingService;
 import org.springframework.stereotype.Service;
 
@@ -40,16 +42,22 @@ public class MatchAllClaimsOnAnyPolicy implements ClaimsProcessingService {
 	 * @see org.mitre.uma.service.ClaimsProcessingService#claimsAreSatisfied(java.util.Collection, java.util.Collection)
 	 */
 	@Override
-	public ClaimProcessingResult claimsAreSatisfied(Collection<Policy> claimsRequired, Collection<Claim> claimsSupplied) {
+	public ClaimProcessingResult claimsAreSatisfied(ResourceSet rs, PermissionTicket ticket) {
 		Collection<Claim> allUnmatched = new HashSet<>();
-		for (Policy policy : claimsRequired) {
-			Collection<Claim> unmatched = checkIndividualClaims(policy.getClaimsRequired(), claimsSupplied);
-			if (unmatched.isEmpty()) {
-				// we found something that's satisfied the claims, let's go with it!
-				return new ClaimProcessingResult(policy);
+		for (Policy policy : rs.getPolicies()) {
+			if (policy.getScopes().equals(ticket.getPermission().getScopes())) {
+			
+				Collection<Claim> unmatched = checkIndividualClaims(policy.getClaimsRequired(), ticket.getClaimsSupplied());
+				if (unmatched.isEmpty()) {
+					// we found something that's satisfied the claims, let's go with it!
+					return new ClaimProcessingResult(policy);
+				} else {
+					// otherwise add it to the stack to send back
+					allUnmatched.addAll(unmatched);
+				}
 			} else {
-				// otherwise add it to the stack to send back
-				allUnmatched.addAll(unmatched);
+				// scopes didn't match, skip it
+				allUnmatched.addAll(policy.getClaimsRequired());
 			}
 		}
 		
diff --git a/uma-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java b/uma-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java
index cdc10e151..128a257e9 100644
--- a/uma-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java
+++ b/uma-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java
@@ -17,23 +17,12 @@
 
 package org.mitre.uma.web;
 
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.HashSet;
 import java.util.Map;
-import java.util.UUID;
 
-import org.mitre.jwt.signer.service.JWTSigningAndValidationService;
-import org.mitre.oauth2.model.AuthenticationHolderEntity;
-import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
-import org.mitre.oauth2.repository.AuthenticationHolderRepository;
-import org.mitre.oauth2.repository.OAuth2TokenRepository;
-import org.mitre.oauth2.service.ClientDetailsEntityService;
 import org.mitre.oauth2.service.OAuth2TokenEntityService;
 import org.mitre.oauth2.service.SystemScopeService;
 import org.mitre.oauth2.web.AuthenticationUtilities;
-import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
 import org.mitre.openid.connect.service.OIDCTokenService;
 import org.mitre.openid.connect.view.HttpCodeView;
 import org.mitre.openid.connect.view.JsonEntityView;
@@ -49,31 +38,21 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
-import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
-import org.springframework.security.oauth2.provider.error.WebResponseExceptionTranslator;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.util.MimeTypeUtils;
-import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 
 import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.Lists;
-import com.google.common.collect.Sets;
 import com.google.gson.JsonArray;
 import com.google.gson.JsonElement;
 import com.google.gson.JsonObject;
 import com.google.gson.JsonParser;
 import com.google.gson.JsonPrimitive;
-import com.nimbusds.jose.JWSAlgorithm;
-import com.nimbusds.jose.JWSHeader;
-import com.nimbusds.jwt.JWTClaimsSet;
-import com.nimbusds.jwt.SignedJWT;
 
 /**
  * @author jricher
@@ -142,13 +121,13 @@ public class AuthorizationRequestEndpoint {
 					} else {
 						// claims weren't empty or missing, we need to check against what we have
 						
-						ClaimProcessingResult result = claimsProcessingService.claimsAreSatisfied(rs.getPolicies(), ticket.getClaimsSupplied());
+						ClaimProcessingResult result = claimsProcessingService.claimsAreSatisfied(rs, ticket);
 						
-						// we need to downscope this based on the required set that was matched if it was matched
 						
 						if (result.isSatisfied()) {
 							// the service found what it was looking for, issue a token
 
+							// we need to downscope this based on the required set that was matched if it was matched
 							OAuth2Authentication o2auth = (OAuth2Authentication) auth;
 							
 							OAuth2AccessTokenEntity token = umaTokenService.createRequestingPartyToken(o2auth, ticket);