clean up permissions and access tokens when a resource set is revoked

openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java

@@ -69,7 +69,8 @@ import com.nimbusds.jwt.JWT;
 	@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_REFRESH_TOKEN, query = "select a from OAuth2AccessTokenEntity a where a.refreshToken = :" + OAuth2AccessTokenEntity.PARAM_REFERSH_TOKEN),
 	@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_CLIENT, query = "select a from OAuth2AccessTokenEntity a where a.client = :" + OAuth2AccessTokenEntity.PARAM_CLIENT),
 	@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_ID_TOKEN, query = "select a from OAuth2AccessTokenEntity a where a.idToken = :" + OAuth2AccessTokenEntity.PARAM_ID_TOKEN),
-	@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_TOKEN_VALUE, query = "select a from OAuth2AccessTokenEntity a where a.jwt = :" + OAuth2AccessTokenEntity.PARAM_TOKEN_VALUE)
+	@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_TOKEN_VALUE, query = "select a from OAuth2AccessTokenEntity a where a.jwt = :" + OAuth2AccessTokenEntity.PARAM_TOKEN_VALUE),
+	@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_RESOURCE_SET, query = "select a from OAuth2AccessTokenEntity a join a.permissions p where p.resourceSet.id = :" + OAuth2AccessTokenEntity.PARAM_RESOURCE_SET_ID)
 })
 @org.codehaus.jackson.map.annotate.JsonSerialize(using = OAuth2AccessTokenJackson1Serializer.class)
 @org.codehaus.jackson.map.annotate.JsonDeserialize(using = OAuth2AccessTokenJackson1Deserializer.class)
@@ -83,12 +84,14 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 	public static final String QUERY_BY_REFRESH_TOKEN = "OAuth2AccessTokenEntity.getByRefreshToken";
 	public static final String QUERY_EXPIRED_BY_DATE = "OAuth2AccessTokenEntity.getAllExpiredByDate";
 	public static final String QUERY_ALL = "OAuth2AccessTokenEntity.getAll";
+	public static final String QUERY_BY_RESOURCE_SET = "OAuth2AccessTokenEntity.getByResourceSet";
 
 	public static final String PARAM_TOKEN_VALUE = "tokenValue";
 	public static final String PARAM_ID_TOKEN = "idToken";
 	public static final String PARAM_CLIENT = "client";
 	public static final String PARAM_REFERSH_TOKEN = "refreshToken";
 	public static final String PARAM_DATE = "date";
+	public static final String PARAM_RESOURCE_SET_ID = "rsid";
 	
 	public static String ID_TOKEN_FIELD_NAME = "id_token";
 

openid-connect-common/src/main/java/org/mitre/oauth2/repository/OAuth2TokenRepository.java

@@ -16,12 +16,14 @@
  *******************************************************************************/
 package org.mitre.oauth2.repository;
 
+import java.util.Collection;
 import java.util.List;
 import java.util.Set;
 
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
 import org.mitre.oauth2.model.OAuth2RefreshTokenEntity;
+import org.mitre.uma.model.ResourceSet;
 
 public interface OAuth2TokenRepository {
 
@@ -59,4 +61,6 @@ public interface OAuth2TokenRepository {
 
 	public Set<OAuth2RefreshTokenEntity> getAllExpiredRefreshTokens();
 
+	public Set<OAuth2AccessTokenEntity> getAccessTokensForResourceSet(ResourceSet rs);
+
 }

openid-connect-common/src/main/java/org/mitre/uma/model/PermissionTicket.java

@@ -49,13 +49,17 @@ import javax.persistence.TemporalType;
 @Table(name = "permission_ticket")
 @NamedQueries({
 	@NamedQuery(name = PermissionTicket.QUERY_TICKET, query = "select p from PermissionTicket p where p.ticket = :" + PermissionTicket.PARAM_TICKET),
-	@NamedQuery(name = PermissionTicket.QUERY_ALL, query = "select p from PermissionTicket p")
+	@NamedQuery(name = PermissionTicket.QUERY_ALL, query = "select p from PermissionTicket p"),
+	@NamedQuery(name = PermissionTicket.QUERY_BY_RESOURCE_SET, query = "select p from PermissionTicket p where p.permission.resourceSet.id = :" + PermissionTicket.PARAM_RESOURCE_SET_ID)
 })
 public class PermissionTicket {
 
 	public static final String QUERY_TICKET = "PermissionTicket.queryByTicket";
-	public static final String PARAM_TICKET = "ticket";
 	public static final String QUERY_ALL = "PermissionTicket.queryAll";
+	public static final String QUERY_BY_RESOURCE_SET = "PermissionTicket.queryByResourceSet";
+	
+	public static final String PARAM_TICKET = "ticket";
+	public static final String PARAM_RESOURCE_SET_ID = "rsid";
 	
 	private Long id;
 	private Permission permission;

openid-connect-common/src/main/java/org/mitre/uma/repository/PermissionRepository.java

@@ -21,6 +21,7 @@ import java.util.Collection;
 
 import org.mitre.uma.model.Permission;
 import org.mitre.uma.model.PermissionTicket;
+import org.mitre.uma.model.ResourceSet;
 
 /**
  * @author jricher
@@ -61,9 +62,26 @@ public interface PermissionRepository {
 	public Permission saveRawPermission(Permission p);
 
 	/**
+	 * Get a permission object by its ID (used by the import/export API)
+	 * 
 	 * @param permissionId
 	 * @return
 	 */
 	public Permission getById(Long permissionId);
 
+	/**
+	 * Get all permission tickets issued against a resource set (called when RS is deleted)
+	 * 
+	 * @param rs
+	 * @return
+	 */
+	public Collection<PermissionTicket> getPermissionTicketsForResourceSet(ResourceSet rs);
+
+	/**
+	 * Remove the specified ticket.
+	 * 
+	 * @param ticket
+	 */
+	public void remove(PermissionTicket ticket);
+
 }

openid-connect-server/src/main/java/org/mitre/oauth2/repository/impl/JpaOAuth2TokenRepository.java

@@ -30,6 +30,7 @@ import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
 import org.mitre.oauth2.model.OAuth2RefreshTokenEntity;
 import org.mitre.oauth2.repository.OAuth2TokenRepository;
+import org.mitre.uma.model.ResourceSet;
 import org.mitre.util.jpa.JpaUtil;
 import org.springframework.stereotype.Repository;
 import org.springframework.transaction.annotation.Transactional;
@@ -203,4 +204,14 @@ public class JpaOAuth2TokenRepository implements OAuth2TokenRepository {
 		return new LinkedHashSet<>(query.getResultList());
 	}
 
+	/* (non-Javadoc)
+	 * @see org.mitre.oauth2.repository.OAuth2TokenRepository#getAccessTokensForResourceSet(org.mitre.uma.model.ResourceSet)
+	 */
+	@Override
+	public Set<OAuth2AccessTokenEntity> getAccessTokensForResourceSet(ResourceSet rs) {
+		TypedQuery<OAuth2AccessTokenEntity> query = manager.createNamedQuery(OAuth2AccessTokenEntity.QUERY_BY_RESOURCE_SET, OAuth2AccessTokenEntity.class);
+		query.setParameter(OAuth2AccessTokenEntity.PARAM_RESOURCE_SET_ID, rs.getId());
+		return new LinkedHashSet<>(query.getResultList());
+	}
+
 }

uma-server/src/main/java/org/mitre/uma/repository/impl/JpaPermissionRepository.java

@@ -23,8 +23,10 @@ import javax.persistence.EntityManager;
 import javax.persistence.PersistenceContext;
 import javax.persistence.TypedQuery;
 
+import org.apache.http.MethodNotSupportedException;
 import org.mitre.uma.model.Permission;
 import org.mitre.uma.model.PermissionTicket;
+import org.mitre.uma.model.ResourceSet;
 import org.mitre.uma.repository.PermissionRepository;
 import org.mitre.util.jpa.JpaUtil;
 import org.springframework.stereotype.Repository;
@@ -69,6 +71,7 @@ public class JpaPermissionRepository implements PermissionRepository {
 	 * @see org.mitre.uma.repository.PermissionRepository#saveRawPermission(org.mitre.uma.model.Permission)
 	 */
 	@Override
+	@Transactional
 	public Permission saveRawPermission(Permission p) {
 		return JpaUtil.saveOrUpdate(p.getId(), em, p);
 	}
@@ -81,4 +84,26 @@ public class JpaPermissionRepository implements PermissionRepository {
 		return em.find(Permission.class, permissionId);
 	}
 
+	/* (non-Javadoc)
+	 * @see org.mitre.uma.repository.PermissionRepository#getPermissionTicketsForResourceSet(org.mitre.uma.model.ResourceSet)
+	 */
+	@Override
+	public Collection<PermissionTicket> getPermissionTicketsForResourceSet(ResourceSet rs) {
+		TypedQuery<PermissionTicket> query = em.createNamedQuery(PermissionTicket.QUERY_BY_RESOURCE_SET, PermissionTicket.class);
+		query.setParameter(PermissionTicket.PARAM_RESOURCE_SET_ID, rs.getId());
+		return query.getResultList();
+	}
+
+	/* (non-Javadoc)
+	 * @see org.mitre.uma.repository.PermissionRepository#remove(org.mitre.uma.model.PermissionTicket)
+	 */
+	@Override
+	@Transactional
+	public void remove(PermissionTicket ticket) {
+		PermissionTicket found = getByTicket(ticket.getTicket());
+		if (found != null) {
+			em.remove(found);
+		}
+	}
+
 }

uma-server/src/main/java/org/mitre/uma/service/impl/DefaultResourceSetService.java

@@ -19,8 +19,12 @@ package org.mitre.uma.service.impl;
 
 import java.util.Collection;
 
+import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
+import org.mitre.oauth2.repository.OAuth2TokenRepository;
+import org.mitre.uma.model.PermissionTicket;
 import org.mitre.uma.model.Policy;
 import org.mitre.uma.model.ResourceSet;
+import org.mitre.uma.repository.PermissionRepository;
 import org.mitre.uma.repository.ResourceSetRepository;
 import org.mitre.uma.service.ResourceSetService;
 import org.slf4j.Logger;
@@ -41,6 +45,12 @@ public class DefaultResourceSetService implements ResourceSetService {
 	
 	@Autowired
 	private ResourceSetRepository repository;
+	
+	@Autowired
+	private OAuth2TokenRepository tokenRepository;
+	
+	@Autowired
+	private PermissionRepository ticketRepository;
 
 	@Override
 	public ResourceSet saveNew(ResourceSet rs) {
@@ -89,6 +99,18 @@ public class DefaultResourceSetService implements ResourceSetService {
 
 	@Override
 	public void remove(ResourceSet rs) {
+		// find all the access tokens issued against this resource set and revoke them
+		Collection<OAuth2AccessTokenEntity> tokens = tokenRepository.getAccessTokensForResourceSet(rs);
+		for (OAuth2AccessTokenEntity token : tokens) {
+			tokenRepository.removeAccessToken(token);
+		}
+		
+		// find all outstanding tickets issued against this resource set and revoke them too
+		Collection<PermissionTicket> tickets = ticketRepository.getPermissionTicketsForResourceSet(rs);
+		for (PermissionTicket ticket : tickets) {
+			ticketRepository.remove(ticket);
+		}
+		
 		repository.remove(rs);
 	}