github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

ensure clients and tokens don't get special system scopes, addresses #320

pull/544/merge
Justin Richer 2013-11-27 10:35:56 -05:00
parent ef01de168d
commit d3dbb00e77
4 changed files with 41 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
openid-connect-common/src/main/java/org/mitre/oauth2/service/SystemScopeService.java
View File

@ -78,4 +78,11 @@ public interface SystemScopeService {
* a scope with or without a value in "actual". * a scope with or without a value in "actual".
*/ */
public boolean scopesMatch(Set<String> expected, Set<String> actual); public boolean scopesMatch(Set<String> expected, Set<String> actual);
/**
* Remove any system-restricted scopes from the set and return the result.
* @param scopes
* @return
*/
public Set<String> removeRestrictedScopes(Set<String> scopes);
} }

9
openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java
View File

@ -73,6 +73,9 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
@Autowired @Autowired
private BlacklistedSiteService blacklistedSiteService; private BlacklistedSiteService blacklistedSiteService;
@Autowired
private SystemScopeService scopeService;
// map of sector URI -> list of redirect URIs // map of sector URI -> list of redirect URIs
private LoadingCache<String, List<String>> sectorRedirects = CacheBuilder.newBuilder() private LoadingCache<String, List<String>> sectorRedirects = CacheBuilder.newBuilder()
@ -130,6 +133,9 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
} }
// make sure a client doesn't get any special system scopes
client.setScope(scopeService.removeRestrictedScopes(client.getScope()));
return clientRepository.saveClient(client); return clientRepository.saveClient(client);
} }
@ -226,6 +232,9 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
throw new IllegalArgumentException("Unable to load sector identifier URI: " + newClient.getSectorIdentifierUri()); throw new IllegalArgumentException("Unable to load sector identifier URI: " + newClient.getSectorIdentifierUri());
} }
} }
// make sure a client doesn't get any special system scopes
newClient.setScope(scopeService.removeRestrictedScopes(newClient.getScope()));
return clientRepository.updateClient(oldClient.getId(), newClient); return clientRepository.updateClient(oldClient.getId(), newClient);
} }

12
openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
View File

@ -79,6 +79,9 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
@Autowired @Autowired
private TokenEnhancer tokenEnhancer; private TokenEnhancer tokenEnhancer;
@Autowired
private SystemScopeService scopeService;
@Override @Override
public Set<OAuth2AccessTokenEntity> getAllAccessTokensForUser(String id) { public Set<OAuth2AccessTokenEntity> getAllAccessTokensForUser(String id) {
@ -144,6 +147,8 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
//not unmodifiable. Unmodifiables don't play nicely with Eclipselink, which //not unmodifiable. Unmodifiables don't play nicely with Eclipselink, which
//wants to use the clone operation. //wants to use the clone operation.
Set<String> scopes = Sets.newHashSet(clientAuth.getScope()); Set<String> scopes = Sets.newHashSet(clientAuth.getScope());
// remove any of the special system scopes
scopes = scopeService.removeRestrictedScopes(scopes);
token.setScope(scopes); token.setScope(scopes);
// make it expire if necessary // make it expire if necessary
@ -254,8 +259,13 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
// get the stored scopes from the authentication holder's authorization request; these are the scopes associated with the refresh token // get the stored scopes from the authentication holder's authorization request; these are the scopes associated with the refresh token
Set<String> refreshScopes = new HashSet<String>(refreshToken.getAuthenticationHolder().getAuthentication().getOAuth2Request().getScope()); Set<String> refreshScopes = new HashSet<String>(refreshToken.getAuthenticationHolder().getAuthentication().getOAuth2Request().getScope());
// remove any of the special system scopes
refreshScopes = scopeService.removeRestrictedScopes(refreshScopes);
Set<String> scope = authRequest.getScope() == null ? new HashSet<String>() : new HashSet<String>(authRequest.getScope()); Set<String> scope = authRequest.getScope() == null ? new HashSet<String>() : new HashSet<String>(authRequest.getScope());
// remove any of the special system scopes
scope = scopeService.removeRestrictedScopes(scope);
if (scope != null && !scope.isEmpty()) { if (scope != null && !scope.isEmpty()) {
// ensure a proper subset of scopes // ensure a proper subset of scopes
if (refreshScopes != null && refreshScopes.containsAll(scope)) { if (refreshScopes != null && refreshScopes.containsAll(scope)) {

14
openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultSystemScopeService.java
View File

@ -63,6 +63,15 @@ public class DefaultSystemScopeService implements SystemScopeService {
return (input != null && input.isAllowDynReg()); return (input != null && input.isAllowDynReg());
} }
}; };
private Predicate<String> isRestricted = new Predicate<String>() {
@Override
public boolean apply(String input) {
return (input != null &&
!input.equals(ID_TOKEN_SCOPE) &&
!input.equals(REGISTRATION_TOKEN_SCOPE));
}
};
private Function<String, SystemScope> stringToSystemScope = new Function<String, SystemScope>() { private Function<String, SystemScope> stringToSystemScope = new Function<String, SystemScope>() {
@Override @Override
@ -230,6 +239,11 @@ public class DefaultSystemScopeService implements SystemScopeService {
} }
@Override
public Set<String> removeRestrictedScopes(Set<String> scopes) {
return new LinkedHashSet<String>(Collections2.filter(scopes, isRestricted));
}
} }