github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

removed introspection authorizer hook

Browse Source
pull/708/merge
Justin Richer 10 years ago
parent 2a6a17486a
commit e5e4c15058
4 changed files with 16 additions and 217 deletions
Show Stats Download Patch File Download Diff File

36
openid-connect-common/src/main/java/org/mitre/oauth2/service/IntrospectionAuthorizer.java
Unescape View File

@ -1,36 +0,0 @@
/*******************************************************************************
* Copyright 2015 The MITRE Corporation
* and the MIT Kerberos and Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*******************************************************************************/
package org.mitre.oauth2.service;
import java.util.Set;
import org.springframework.security.oauth2.provider.ClientDetails;
/**
* Strategy interface used for authorizing token introspection.
*/
public interface IntrospectionAuthorizer {
/**
* @param authClient the authenticated client wanting to perform token introspection
* @param tokenClient the client the token was issued to
* @param tokenScope the scope associated with the token
* @return {@code true} in case introspection is permitted; {@code false} otherwise
*/
boolean isIntrospectionPermitted(ClientDetails authClient, ClientDetails tokenClient, Set<String> tokenScope);
}

43
openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultIntrospectionAuthorizer.java
Unescape View File

@ -1,43 +0,0 @@
/*******************************************************************************
* Copyright 2015 The MITRE Corporation
* and the MIT Kerberos and Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*******************************************************************************/
package org.mitre.oauth2.service.impl;
import java.util.Set;
import org.mitre.oauth2.service.IntrospectionAuthorizer;
import org.mitre.oauth2.service.SystemScopeService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.stereotype.Service;
@Service
public class DefaultIntrospectionAuthorizer implements IntrospectionAuthorizer {
@Autowired
private SystemScopeService scopeService;
@Override
public boolean isIntrospectionPermitted(ClientDetails authClient,
ClientDetails tokenClient, Set<String> tokenScope) {
// permit introspection if it's the same client that the token was
// issued to, or it at least has all the scopes the token was issued
// with
return authClient.getClientId().equals(tokenClient.getClientId())
|| scopeService.scopesMatch(authClient.getScope(), tokenScope);
}
}

42
openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java
Unescape View File

@ -23,7 +23,6 @@ import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
import org.mitre.oauth2.model.OAuth2RefreshTokenEntity;
import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.mitre.oauth2.service.IntrospectionAuthorizer;
import org.mitre.oauth2.service.IntrospectionResultAssembler;
import org.mitre.oauth2.service.OAuth2TokenEntityService;
import org.mitre.oauth2.service.SystemScopeService;
@ -57,9 +56,6 @@ public class IntrospectionEndpoint {
@Autowired
private ClientDetailsEntityService clientService;
@Autowired
private IntrospectionAuthorizer introspectionAuthorizer;
@Autowired
private IntrospectionResultAssembler introspectionResultAssembler;
@ -168,30 +164,24 @@ public class IntrospectionEndpoint {
}
}
if (introspectionAuthorizer.isIntrospectionPermitted(authClient, tokenClient, scopes)) {
// if it's a valid token, we'll print out information on it
if (accessToken != null) {
Map<String, Object> entity = introspectionResultAssembler.assembleFrom(accessToken, user);
model.addAttribute("entity", entity);
} else if (refreshToken != null) {
Map<String, Object> entity = introspectionResultAssembler.assembleFrom(refreshToken, user);
model.addAttribute("entity", entity);
} else {
// no tokens were found (we shouldn't get here)
logger.error("Verify failed; Invalid access/refresh token");
Map<String,Boolean> entity = ImmutableMap.of("active", Boolean.FALSE);
model.addAttribute("entity", entity);
return JsonEntityView.VIEWNAME;
}
return JsonEntityView.VIEWNAME;
// if it's a valid token, we'll print out information on it
if (accessToken != null) {
Map<String, Object> entity = introspectionResultAssembler.assembleFrom(accessToken, user);
model.addAttribute("entity", entity);
} else if (refreshToken != null) {
Map<String, Object> entity = introspectionResultAssembler.assembleFrom(refreshToken, user);
model.addAttribute("entity", entity);
} else {
logger.error("Verify failed; client configuration or scope don't permit token introspection");
model.addAttribute("code", HttpStatus.FORBIDDEN);
return HttpCodeView.VIEWNAME;
// no tokens were found (we shouldn't get here)
logger.error("Verify failed; Invalid access/refresh token");
Map<String,Boolean> entity = ImmutableMap.of("active", Boolean.FALSE);
model.addAttribute("entity", entity);
return JsonEntityView.VIEWNAME;
}
return JsonEntityView.VIEWNAME;
}
}

112
openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultIntrospectionAuthorizer.java
Unescape View File

@ -1,112 +0,0 @@
/*******************************************************************************
* Copyright 2015 The MITRE Corporation
* and the MIT Kerberos and Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*******************************************************************************/
package org.mitre.oauth2.service.impl;
import static com.google.common.collect.Sets.newHashSet;
import static org.hamcrest.CoreMatchers.is;
import static org.junit.Assert.assertThat;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.mock;
import java.util.Set;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mitre.oauth2.service.SystemScopeService;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.security.oauth2.provider.ClientDetails;
@RunWith(MockitoJUnitRunner.class)
public class TestDefaultIntrospectionAuthorizer {
@InjectMocks
private DefaultIntrospectionAuthorizer introspectionPermitter;
@Mock
private SystemScopeService scopeService;
@Test
public void shouldPermitIntrospectionToSameClientTheTokenWasIssuedTo() {
// given
String sameClient = "same";
// when
boolean permitted = introspectionPermitter.isIntrospectionPermitted(
clientWithId(sameClient), clientWithId(sameClient),
scope("scope"));
// then
assertThat(permitted, is(true));
}
@Test
public void shouldPermitIntrospectionToDifferentClientIfScopesMatch() {
// given
String authClient = "auth";
String tokenClient = "token";
Set<String> authScope = scope("scope1", "scope2", "scope3");
Set<String> tokenScope = scope("scope1", "scope2");
given(scopeService.scopesMatch(authScope, tokenScope)).willReturn(true);
// when
boolean permitted = introspectionPermitter.isIntrospectionPermitted(
clientWithIdAndScope(authClient, authScope),
clientWithId(tokenClient), tokenScope);
// then
assertThat(permitted, is(true));
}
@Test
public void shouldNotPermitIntrospectionToDifferentClientIfScopesDontMatch() {
// given
String authClient = "auth";
String tokenClient = "token";
Set<String> authScope = scope("scope1", "scope2");
Set<String> tokenScope = scope("scope1", "scope2", "scope3");
given(scopeService.scopesMatch(authScope, tokenScope)).willReturn(false);
// when
boolean permitted = introspectionPermitter.isIntrospectionPermitted(
clientWithIdAndScope(authClient, authScope),
clientWithId(tokenClient), tokenScope);
// then
assertThat(permitted, is(false));
}
private ClientDetails clientWithId(String clientId) {
ClientDetails client = mock(ClientDetails.class);
given(client.getClientId()).willReturn(clientId);
return client;
}
private ClientDetails clientWithIdAndScope(String clientId, Set<String> scope) {
ClientDetails client = clientWithId(clientId);
given(client.getScope()).willReturn(scope);
return client;
}
private Set<String> scope(String... scopeItems) {
return newHashSet(scopeItems);
}
}
Write Preview
Loading…
Cancel
Save