ensure clients and tokens don't get special system scopes, addresses #320

11 years ago · d3dbb00e77
parent ef01de168d
commit d3dbb00e77
4 changed files with 41 additions and 1 deletions
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/service/SystemScopeService.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/service/SystemScopeService.java
@ -78,4 +78,11 @@ public interface SystemScopeService {
 	 * a scope with or without a value in "actual".
 	 */
 	public boolean scopesMatch(Set<String> expected, Set<String> actual);
+
+	/**
+	 * Remove any system-restricted scopes from the set and return the result. 
+	 * @param scopes
+	 * @return
+	 */
+	public Set<String> removeRestrictedScopes(Set<String> scopes);
 }
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java
@ -73,6 +73,9 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt

 	@Autowired
 	private BlacklistedSiteService blacklistedSiteService;
+	
+	@Autowired
+	private SystemScopeService scopeService;

 	// map of sector URI -> list of redirect URIs
 	private LoadingCache<String, List<String>> sectorRedirects = CacheBuilder.newBuilder()
@ -130,6 +133,9 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
 		}
 		

+		// make sure a client doesn't get any special system scopes
+		client.setScope(scopeService.removeRestrictedScopes(client.getScope()));
+		
 		return clientRepository.saveClient(client);
 	}

@ -226,6 +232,9 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
 	            	throw new IllegalArgumentException("Unable to load sector identifier URI: " + newClient.getSectorIdentifierUri());
 	            }
 			}
+
+			// make sure a client doesn't get any special system scopes
+			newClient.setScope(scopeService.removeRestrictedScopes(newClient.getScope()));
 			
 			return clientRepository.updateClient(oldClient.getId(), newClient);
 		}
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
@ -79,6 +79,9 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 	@Autowired
 	private TokenEnhancer tokenEnhancer;
 	
+	@Autowired 
+	private SystemScopeService scopeService;
+	
 	@Override
 	public Set<OAuth2AccessTokenEntity> getAllAccessTokensForUser(String id) {

@ -144,6 +147,8 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 			//not unmodifiable. Unmodifiables don't play nicely with Eclipselink, which
 			//wants to use the clone operation.
 			Set<String> scopes = Sets.newHashSet(clientAuth.getScope());
+			// remove any of the special system scopes
+			scopes = scopeService.removeRestrictedScopes(scopes);
 			token.setScope(scopes);

 			// make it expire if necessary 
@ -254,8 +259,13 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi

 		// get the stored scopes from the authentication holder's authorization request; these are the scopes associated with the refresh token
 		Set<String> refreshScopes = new HashSet<String>(refreshToken.getAuthenticationHolder().getAuthentication().getOAuth2Request().getScope());
-
+		// remove any of the special system scopes
+		refreshScopes = scopeService.removeRestrictedScopes(refreshScopes);
+		
 		Set<String> scope = authRequest.getScope() == null ? new HashSet<String>() : new HashSet<String>(authRequest.getScope());
+		// remove any of the special system scopes
+		scope = scopeService.removeRestrictedScopes(scope);
+
 		if (scope != null && !scope.isEmpty()) {
 			// ensure a proper subset of scopes
 			if (refreshScopes != null && refreshScopes.containsAll(scope)) {
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultSystemScopeService.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultSystemScopeService.java
@ -63,6 +63,15 @@ public class DefaultSystemScopeService implements SystemScopeService {
 			return (input != null && input.isAllowDynReg());
 		}
 	};
+	
+	private Predicate<String> isRestricted = new Predicate<String>() {
+		@Override
+		public boolean apply(String input) {
+			return (input != null &&
+					!input.equals(ID_TOKEN_SCOPE) &&
+					!input.equals(REGISTRATION_TOKEN_SCOPE));
+		}
+	};

 	private Function<String, SystemScope> stringToSystemScope = new Function<String, SystemScope>() {
 		@Override
@ -230,6 +239,11 @@ public class DefaultSystemScopeService implements SystemScopeService {
    	
    }

+	@Override
+	public Set<String> removeRestrictedScopes(Set<String> scopes) {
+		return new LinkedHashSet<String>(Collections2.filter(scopes, isRestricted));		
+	}
+
 	
 	
 }