made permission service enforce scoping

2015-03-06 15:50:14 -05:00 · 2015-03-06 15:50:14 -05:00 · e59e988809
parent 5ff9cd1bbb
commit e59e988809
2 changed files with 14 additions and 0 deletions
--- a/openid-connect-common/src/main/java/org/mitre/uma/service/PermissionService.java
+++ b/openid-connect-common/src/main/java/org/mitre/uma/service/PermissionService.java
@ -21,6 +21,7 @@ import java.util.Set;

 import org.mitre.uma.model.Permission;
 import org.mitre.uma.model.ResourceSet;
+import org.springframework.security.oauth2.common.exceptions.InsufficientScopeException;


 /**
@ -33,6 +34,7 @@ public interface PermissionService {
 	 * @param resourceSet the resource set to create the permission on
 	 * @param scopes the set of scopes that this permission is for
 	 * @return the created (and stored) permission object, with ticket
+	 * @throws InsufficientScopeException if the scopes in scopes don't match those in resourceSet.getScopes
 	 */
 	public Permission create(ResourceSet resourceSet, Set<String> scopes);

--- a/openid-connect-server/src/main/java/org/mitre/uma/service/impl/DefaultPermissionService.java
+++ b/openid-connect-server/src/main/java/org/mitre/uma/service/impl/DefaultPermissionService.java
@ -20,11 +20,13 @@ package org.mitre.uma.service.impl;
 import java.util.Set;
 import java.util.UUID;

+import org.mitre.oauth2.service.SystemScopeService;
 import org.mitre.uma.model.Permission;
 import org.mitre.uma.model.ResourceSet;
 import org.mitre.uma.repository.PermissionRepository;
 import org.mitre.uma.service.PermissionService;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.oauth2.common.exceptions.InsufficientScopeException;
 import org.springframework.stereotype.Service;

 /**
@ -37,11 +39,21 @@ public class DefaultPermissionService implements PermissionService {
 	@Autowired
 	private PermissionRepository repository;
 	
+	@Autowired
+	private SystemScopeService scopeService;
+	
 	/* (non-Javadoc)
 	 * @see org.mitre.uma.service.PermissionService#create(org.mitre.uma.model.ResourceSet, java.util.Set)
 	 */
 	@Override
 	public Permission create(ResourceSet resourceSet, Set<String> scopes) {
+		
+		// check to ensure that the scopes requested are a subset of those in the resource set
+		
+		if (!scopeService.scopesMatch(resourceSet.getScopes(), scopes)) {
+			throw new InsufficientScopeException("Scopes of resource set are not enough for requested permission.");
+		}
+		
 		Permission p = new Permission();
 		p.setResourceSet(resourceSet);
 		p.setScopes(scopes);