made claims processor take in policy set and ticket directly

openid-connect-common/src/main/java/org/mitre/uma/service/ClaimsProcessingService.java

@@ -17,11 +17,9 @@
 
 package org.mitre.uma.service;
 
-import java.util.Collection;
-
-import org.mitre.uma.model.Claim;
 import org.mitre.uma.model.ClaimProcessingResult;
-import org.mitre.uma.model.Policy;
+import org.mitre.uma.model.PermissionTicket;
+import org.mitre.uma.model.ResourceSet;
 
 /**
  * 
@@ -38,10 +36,10 @@ public interface ClaimsProcessingService {
 	 * sufficient to fulfill the requirements given by the claims that
 	 * are required.
 	 * 
-	 * @param claimsRequired the required claims to check against
+	 * @param rs the required claims to check against
-	 * @param claimsSupplied the supplied claims to test
+	 * @param ticket the supplied claims to test
 	 * @return the result of the claims processing action
 	 */
-	public ClaimProcessingResult claimsAreSatisfied(Collection<Policy> claimsRequired, Collection<Claim> claimsSupplied);
+	public ClaimProcessingResult claimsAreSatisfied(ResourceSet rs, PermissionTicket ticket);
 
 }

uma-server/src/main/java/org/mitre/uma/service/impl/MatchAllClaimsOnAnyPolicy.java

@@ -22,7 +22,9 @@ import java.util.HashSet;
 
 import org.mitre.uma.model.Claim;
 import org.mitre.uma.model.ClaimProcessingResult;
+import org.mitre.uma.model.PermissionTicket;
 import org.mitre.uma.model.Policy;
+import org.mitre.uma.model.ResourceSet;
 import org.mitre.uma.service.ClaimsProcessingService;
 import org.springframework.stereotype.Service;
 
@@ -40,10 +42,12 @@ public class MatchAllClaimsOnAnyPolicy implements ClaimsProcessingService {
 	 * @see org.mitre.uma.service.ClaimsProcessingService#claimsAreSatisfied(java.util.Collection, java.util.Collection)
 	 */
 	@Override
-	public ClaimProcessingResult claimsAreSatisfied(Collection<Policy> claimsRequired, Collection<Claim> claimsSupplied) {
+	public ClaimProcessingResult claimsAreSatisfied(ResourceSet rs, PermissionTicket ticket) {
 		Collection<Claim> allUnmatched = new HashSet<>();
-		for (Policy policy : claimsRequired) {
+		for (Policy policy : rs.getPolicies()) {
-			Collection<Claim> unmatched = checkIndividualClaims(policy.getClaimsRequired(), claimsSupplied);
+			if (policy.getScopes().equals(ticket.getPermission().getScopes())) {
+			
+				Collection<Claim> unmatched = checkIndividualClaims(policy.getClaimsRequired(), ticket.getClaimsSupplied());
 				if (unmatched.isEmpty()) {
 					// we found something that's satisfied the claims, let's go with it!
 					return new ClaimProcessingResult(policy);
@@ -51,6 +55,10 @@ public class MatchAllClaimsOnAnyPolicy implements ClaimsProcessingService {
 					// otherwise add it to the stack to send back
 					allUnmatched.addAll(unmatched);
 				}
+			} else {
+				// scopes didn't match, skip it
+				allUnmatched.addAll(policy.getClaimsRequired());
+			}
 		}
 		
 		// otherwise, tell the caller that we'll need some set of these fulfilled somehow

uma-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java

@@ -17,23 +17,12 @@
 
 package org.mitre.uma.web;
 
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.HashSet;
 import java.util.Map;
-import java.util.UUID;
 
-import org.mitre.jwt.signer.service.JWTSigningAndValidationService;
-import org.mitre.oauth2.model.AuthenticationHolderEntity;
-import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
-import org.mitre.oauth2.repository.AuthenticationHolderRepository;
-import org.mitre.oauth2.repository.OAuth2TokenRepository;
-import org.mitre.oauth2.service.ClientDetailsEntityService;
 import org.mitre.oauth2.service.OAuth2TokenEntityService;
 import org.mitre.oauth2.service.SystemScopeService;
 import org.mitre.oauth2.web.AuthenticationUtilities;
-import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
 import org.mitre.openid.connect.service.OIDCTokenService;
 import org.mitre.openid.connect.view.HttpCodeView;
 import org.mitre.openid.connect.view.JsonEntityView;
@@ -49,31 +38,21 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
-import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
-import org.springframework.security.oauth2.provider.error.WebResponseExceptionTranslator;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.util.MimeTypeUtils;
-import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 
 import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.Lists;
-import com.google.common.collect.Sets;
 import com.google.gson.JsonArray;
 import com.google.gson.JsonElement;
 import com.google.gson.JsonObject;
 import com.google.gson.JsonParser;
 import com.google.gson.JsonPrimitive;
-import com.nimbusds.jose.JWSAlgorithm;
-import com.nimbusds.jose.JWSHeader;
-import com.nimbusds.jwt.JWTClaimsSet;
-import com.nimbusds.jwt.SignedJWT;
 
 /**
  * @author jricher
@@ -142,13 +121,13 @@ public class AuthorizationRequestEndpoint {
 					} else {
 						// claims weren't empty or missing, we need to check against what we have
 						
-						ClaimProcessingResult result = claimsProcessingService.claimsAreSatisfied(rs.getPolicies(), ticket.getClaimsSupplied());
+						ClaimProcessingResult result = claimsProcessingService.claimsAreSatisfied(rs, ticket);
 						
-						// we need to downscope this based on the required set that was matched if it was matched
 						
 						if (result.isSatisfied()) {
 							// the service found what it was looking for, issue a token
 
+							// we need to downscope this based on the required set that was matched if it was matched
 							OAuth2Authentication o2auth = (OAuth2Authentication) auth;
 							
 							OAuth2AccessTokenEntity token = umaTokenService.createRequestingPartyToken(o2auth, ticket);