moved an uma package to common, extracted OAuth scope enforcement utility

10 years ago · c41488b103
parent 5be7d64c7d
commit c41488b103
3 changed files with 61 additions and 19 deletions
--- a/openid-connect-common/src/main/java/org/mitre/uma/repository/ResourceSetRepository.java
+++ b/openid-connect-common/src/main/java/org/mitre/uma/repository/ResourceSetRepository.java
--- a/openid-connect-server/src/main/java/org/mitre/uma/web/OAuthScopeEnforcementUtilities.java
+++ b/openid-connect-server/src/main/java/org/mitre/uma/web/OAuthScopeEnforcementUtilities.java
@ -0,0 +1,54 @@
+/*******************************************************************************
+ * Copyright 2015 The MITRE Corporation
+ *   and the MIT Kerberos and Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package org.mitre.uma.web;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.common.exceptions.InsufficientScopeException;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+
+import com.google.common.collect.ImmutableSet;
+
+/**
+ * 
+ * Utility class to enforce OAuth scopes in authenticated requests.
+ * 
+ * @author jricher
+ *
+ */
+public abstract class OAuthScopeEnforcementUtilities {
+	
+	/**
+	 * Makes sure the authentication contains the given scope, throws an exception otherwise
+	 * @param auth the authentication object to check
+	 * @param scope TODO
+	 * @param scope the scope to look for
+	 * @throws InsufficientScopeException if the authentication does not contain that scope
+	 */
+	public static void ensureOAuthScope(Authentication auth, String scope) {
+		// if auth is OAuth, make sure we've got the right scope
+		if (auth instanceof OAuth2Authentication) {
+			OAuth2Authentication oAuth2Authentication = (OAuth2Authentication) auth;
+			if (oAuth2Authentication.getOAuth2Request().getScope() == null
+					|| !oAuth2Authentication.getOAuth2Request().getScope().contains(scope)) {
+				throw new InsufficientScopeException("Insufficient scope", ImmutableSet.of(scope));
+			}
+		}
+	}
+	
+
+}
--- a/openid-connect-server/src/main/java/org/mitre/uma/web/ResourceSetRegistrationEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/uma/web/ResourceSetRegistrationEndpoint.java
@ -16,6 +16,8 @@
 *******************************************************************************/
 package org.mitre.uma.web;

+
+import static org.mitre.uma.web.OAuthScopeEnforcementUtilities.ensureOAuthScope;
 import static org.mitre.util.JsonUtils.getAsLong;
 import static org.mitre.util.JsonUtils.getAsString;
 import static org.mitre.util.JsonUtils.getAsStringSet;
@ -39,8 +41,6 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.oauth2.common.exceptions.InsufficientScopeException;
-import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.util.MimeTypeUtils;
@ -50,7 +50,6 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;

 import com.google.common.base.Strings;
-import com.google.common.collect.ImmutableSet;
 import com.google.gson.JsonElement;
 import com.google.gson.JsonObject;
 import com.google.gson.JsonParseException;
@ -75,7 +74,7 @@ public class ResourceSetRegistrationEndpoint {
 	
 	@RequestMapping(method = RequestMethod.POST, produces = MimeTypeUtils.APPLICATION_JSON_VALUE, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE)
 	public String createResourceSet(@RequestBody String jsonString, Model m, Authentication auth) {
-		ensureOAuthScope(auth);
+		ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE);
 		
 		ResourceSet rs = parseResourceSet(jsonString);
 		
@ -105,7 +104,7 @@ public class ResourceSetRegistrationEndpoint {

 	@RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
 	public String readResourceSet(@PathVariable ("id") Long id, Model m, Authentication auth) {
-		ensureOAuthScope(auth);
+		ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE);
 		
 		ResourceSet rs = resourceSetService.getById(id);
 		
@ -133,7 +132,7 @@ public class ResourceSetRegistrationEndpoint {

 	@RequestMapping(value = "/{id}", method = RequestMethod.PUT, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
 	public String updateResourceSet(@PathVariable ("id") Long id, @RequestBody String jsonString, Model m, Authentication auth) {
-		ensureOAuthScope(auth);
+		ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE);

 		ResourceSet newRs = parseResourceSet(jsonString);

@ -178,7 +177,7 @@ public class ResourceSetRegistrationEndpoint {
 	
 	@RequestMapping(value = "/{id}", method = RequestMethod.DELETE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
 	public String deleteResourceSet(@PathVariable ("id") Long id, Model m, Authentication auth) {
-		ensureOAuthScope(auth);
+		ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE);

 		ResourceSet rs = resourceSetService.getById(id);
 		
@ -207,7 +206,7 @@ public class ResourceSetRegistrationEndpoint {
 	
 	@RequestMapping(method = RequestMethod.GET, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
 	public String listResourceSets(Model m, Authentication auth) {
-		ensureOAuthScope(auth);
+		ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE);
 		
 		String owner = auth.getName();
 		
@ -224,17 +223,6 @@ public class ResourceSetRegistrationEndpoint {
 		return JsonEntityView.VIEWNAME;
 	}

-	private void ensureOAuthScope(Authentication auth) {
-		// if auth is OAuth, make sure we've got the right scope
-		if (auth instanceof OAuth2Authentication) {
-			OAuth2Authentication oAuth2Authentication = (OAuth2Authentication) auth;
-			if (oAuth2Authentication.getOAuth2Request().getScope() == null
-					|| !oAuth2Authentication.getOAuth2Request().getScope().contains(SystemScopeService.UMA_PROTECTION_SCOPE)) {
-				throw new InsufficientScopeException("Insufficient scope", ImmutableSet.of(SystemScopeService.UMA_PROTECTION_SCOPE));
-			}
-		}
-	}
-	
 	private ResourceSet parseResourceSet(String jsonString) {

 		try {